Customer Code Security¶
At Boost Security, safeguarding customer code is a top priority. Our platform is designed to ensure your source code remains protected at all times during the scanning and analysis process.
This page outlines how Boost Security handles customer code securely and the safeguards in place during scans.
Key Principles¶
We follow these principles when performing scans on your codebase:
✅ No Code Transit or Storage¶
- Your source code is never transmitted to Boost Security’s servers.
- We do not store or persist any portion of your code in our backend.
- Our scanning processes are designed to be non-invasive, ensuring your intellectual property remains entirely under your control.
Where Scanning Happens¶
All code scans are executed directly in your environment, using your existing CI pipelines.
How it works:¶
- The scanner is run in your CI/CD environment.
- Code is checked out from your Git repository during the CI job.
- The scanner performs its analysis locally within that job.
- Only the scan results (findings and metadata) are uploaded to Boost Security’s backend — never the code itself.
This architecture enables:
- Full visibility into what gets scanned
- Data residency compliance
- Seamless integration with your security and compliance policies
What Gets Uploaded¶
Only the following types of data are sent back to Boost Security’s backend after the scan:
- Vulnerability findings
- Metadata associated with the scan (e.g., file paths, affected package versions, rule matches)
- Policy rule matches and statuses
Note
No raw source code or repository contents are included in these results.
Why This Matters¶
By performing all scanning operations within your infrastructure, Boost Security:
- Eliminates risk of unauthorized code exposure
- Maintains strict compliance with internal and external security policies
- Offers a high-assurance model for secure DevSecOps adoption
Summary¶
| Aspect | Boost Security’s Approach |
|---|---|
| Code Transit to Backend | ❌ Never |
| Code Storage on Backend | ❌ Never |
| Scanning Location | ✅ Customer CI pipeline |
| Data Sent to Boost Security | ✅ Scan findings only, no source code |
| Code Visibility to Boost | ❌ Boost never sees or stores your source code |
If you have additional security or compliance questions, feel free to reach out to our support team or your account representative.