Trust & Security
What happens to your code
You’re sending us your source code. Here is exactly what we do with it, verified by independent third parties — and how to run the scanner yourself if you’d rather not send it at all.
The scan pipeline
- 1
Your repo is cloned to our server
- 2
The scanner runs locally — your code never leaves our infrastructure
- 3
The clone is deleted immediately after scanning
- 4
Findings record only: file path, line number, rule matched
- 5
No source code is stored anywhere, ever
- 6
No secrets or credentials found during scanning are logged or stored
One exception
When you use the rewriter (Pro), the specific function being fixed is sent to Anthropic’s Claude API to generate the fix. Anthropic does not train on API data. No other code leaves our server.
Independent verification
Don’t take our word for it. Every claim below links to the third-party source.
Mozilla Observatory
115/100 · 10/10 tests passed
HTTP security headers, CSP, cookies, and CORS — graded by Mozilla.
View results →
OpenSSF Scorecard
Supply-chain security posture
Automated review of repo security practices by the Open Source Security Foundation.
View results →
pip-audit
134 packages audited
Every Python dependency checked against known CVE databases on each release.
View results →
CodeQL
Static analysis on every push
GitHub's semantic code analysis runs on every commit and weekly.
View results →
One known dependency advisory remains open (torch, CVE-2025-3000): no patched release exists upstream, and the affected code path is never reached with user input. Details in our security policy.
Run it yourself
The scanner is fully open source under MIT. You can run it entirely on your own machine — your code never leaves your computer.
pip install prbl-scanner
prbl-scanner scan ./myprojectSecurity contact
Found a vulnerability in Prbl itself? security@prbl.dev — we respond within 48 hours.
See our full disclosure policy →