Skip to content

Documentation

Everything you need to secure your AI-built projects

Repository ZIP Scans

Repository scanning

Private repository ZIP scans

Scan source that cannot be connected through GitHub. Uploads are authenticated, bounded, stored in a dedicated private bucket, analyzed asynchronously, and never executed.

Static analysis only
BoringSec reads supported UTF-8 source and configuration files. It never runs uploaded code, package scripts, builds, installers, compilers, or package managers.

Admission and safety limits

Container validation

Valid ZIP magic, single disk, no encryption, symlinks, special files, nested archives, traversal, absolute paths, control characters, duplicate paths, or case collisions.

Bounded input

10 MB compressed, 25 MB uncompressed, 500 files, 1 MB per file, 20 path segments, and a maximum 50:1 per-entry compression ratio.

What runs

The connected code-analysis pipeline

Code patterns, semantic validators, dependency and environment checks, project-structure hardening, cross-file review, and Medusa static analysis. Secret-bearing snippets are redacted before findings are stored.

Asynchronous status

QUEUED

The validated private object is waiting for the isolated scanner.

SCANNING

A lease-protected worker is running static analyzers.

COMPLETED

Owner-only findings are ready; raw source is deleted immediately.

FAILED

Safe retries were exhausted and raw source is deleted.

QUARANTINED

A ZIP safety invariant failed; the archive is deleted without analysis.

Private storage and retention

Raw ZIP

Dedicated non-public bucket and repository-only credentials. Immediate terminal deletion with a 24-hour cleanup fallback.

Manifest and findings

Owner-only, retained for 30 days, or removed immediately with Delete scan.

Ready to scan a private archive?

Open the authenticated scan launcher