Repository ZIP Scans
Repository scanning
Private repository ZIP scans
Scan source that cannot be connected through GitHub. Uploads are authenticated, bounded, stored in a dedicated private bucket, analyzed asynchronously, and never executed.
Admission and safety limits
Container validation
Valid ZIP magic, single disk, no encryption, symlinks, special files, nested archives, traversal, absolute paths, control characters, duplicate paths, or case collisions.
Bounded input
10 MB compressed, 25 MB uncompressed, 500 files, 1 MB per file, 20 path segments, and a maximum 50:1 per-entry compression ratio.
What runs
The connected code-analysis pipeline
Code patterns, semantic validators, dependency and environment checks, project-structure hardening, cross-file review, and Medusa static analysis. Secret-bearing snippets are redacted before findings are stored.
Asynchronous status
The validated private object is waiting for the isolated scanner.
A lease-protected worker is running static analyzers.
Owner-only findings are ready; raw source is deleted immediately.
Safe retries were exhausted and raw source is deleted.
A ZIP safety invariant failed; the archive is deleted without analysis.
Private storage and retention
Raw ZIP
Dedicated non-public bucket and repository-only credentials. Immediate terminal deletion with a 24-hour cleanup fallback.
Manifest and findings
Owner-only, retained for 30 days, or removed immediately with Delete scan.
Ready to scan a private archive?
Open the authenticated scan launcher