Trust
Security
Last updated July 3, 2026
Security is core to how CodeHealth is built, not an afterthought. This page describes how we protect your GitHub data, your account, and the infrastructure that runs the Service.
1. Read-only GitHub access
CodeHealth connects to GitHub using OAuth scopes limited to read-only access. We can read commit history, file paths, and repository metadata to compute risk scores — we cannot write to, modify, or delete anything in your repositories. You can revoke access at any time from your GitHub account settings, which immediately cuts off our access.
2. Encryption
- All traffic to and from CodeHealth is encrypted in transit via TLS 1.2+.
- Report data and account information are encrypted at rest.
- Access tokens are encrypted and never exposed in logs or client-side code.
3. Infrastructure
The Service runs on reputable cloud infrastructure with network isolation between environments, least-privilege access controls for our engineers, and audit logging on production systems. We do not clone or persist your source code — analysis runs against metadata pulled from GitHub's API and results are cached only long enough to render your report.
4. Account protection
- Authentication is handled via GitHub OAuth — we never see or store your GitHub password.
- Session tokens are short-lived and rotated regularly.
- Team plans support per-seat access so you control who on your team can view reports.
5. Responsible disclosure
If you believe you've found a security vulnerability in CodeHealth, please report it to security@codehealth.report. Include enough detail for us to reproduce the issue. We aim to acknowledge reports within 2 business days and will keep you updated as we investigate and remediate. We ask that you give us a reasonable amount of time to fix an issue before any public disclosure.
6. Incident response
In the event of a security incident affecting customer data, we will notify affected customers without undue delay, describe the nature and scope of the incident, and outline the steps we're taking to remediate it.
7. Questions
For security questionnaires, compliance documentation requests, or anything else, contact security@codehealth.report or visit our contact page.