DEV Community

Muhammad Hasan
Muhammad Hasan

Posted on

What actually happens to your code when Kolega.dev reads your repo

#ai #codequality #security #devops

If you are even slightly security minded, handing any tool read access to your entire private codebase should make you a bit twitchy. It should make you more twitchy when the tool has "AI" in the pitch, because the unspoken fear is simple: great, so my proprietary code becomes someone's training data.
That is a healthy instinct, and any code scanner worth using should be able to answer it without hand waving. So here is the straight version of how we handle it at Kolega, no marketing.
We do not store your code
Every scan runs in a fresh, isolated container. Each repo is cloned in, the scan runs in one to three minutes, and then the container and everything in it is destroyed.

  1. Connect via OAuth (read only)
  2. Repo cloned into a fresh isolated container
  3. Semantic scan runs (1 to 3 min)
  4. Findings extracted, sensitive data masked
  5. Container destroyed, code wiped What we keep is the findings: severity, file path, line number, fix suggestion. Not the source. The practical upshot matters more than it sounds. If we got breached tomorrow, your code is not in the blast radius, because it is not sitting on our infrastructure to steal. That is a design choice, not a pinky promise. You cannot leak what you do not store. The specifics people actually ask about

OAuth is read only by default, and we do not sit on long lived access tokens.
We do not train models on your code. Not now, not quietly later. It is used for the scan you asked for and nothing else.
If even that is too much, enterprise can run a self hosted runner entirely inside your own VPC. The engine scans on your hardware, results stay where you put them, and nothing about your code reaches us at all.

The part that is not finished yet
Being straight about it: SOC 2 Type II and ISO 27001 are in progress, not done. We run the operational controls those frameworks require today, but the certificates are not on the wall yet, and I would rather say that than badge something we have not earned. If you are in procurement and need the current security overview to fill out a questionnaire, a human will send it back same day.
Full breakdown of the scan lifecycle is here: https://kolega.dev/trust/

Top comments (0)