Security and data handling

Local-first code security with optional cloud governance.

Skylos is designed so developers can scan code locally first, then upload findings to Skylos Cloud when teams need history, PR workflows, collaboration, and governance.

Read docsContact security

Local-first scanning

The CLI can run without login or cloud upload. Local scans stay on the developer or CI machine unless upload is explicitly enabled.

Tokenless GitHub CI

GitHub Actions uploads can use short-lived OIDC tokens when the workflow grants id-token: write. Long-lived project tokens remain available for non-GitHub CI.

Upload attribution

Each cloud scan records the authenticated project key or GitHub OIDC actor, CLI version, upload session id, commit, branch, and server-side timestamp.

Credential handling

Project API keys are stored as hashes in Skylos Cloud. Admins can issue secondary rotation keys, review last-used timestamps, and revoke old keys after CI migration.

Managed cloud boundary

Skylos Cloud runs on Vercel and Supabase. Enterprise readiness work treats them as subprocessors while Skylos owns the application controls, data handling, auditability, and incident process.

What Skylos Cloud stores

  • Scan metadata such as project, commit, branch, tool version, and CI context
  • Upload attribution such as authenticated project key, key owner, GitHub OIDC actor, CLI version, and upload session id
  • Findings, severities, rule identifiers, file paths, line numbers, and remediation status
  • Optional code snippets and provenance detail when a scan mode includes them
  • Team workflow data such as comments, assignments, suppressions, overrides, and activity entries
  • Optional AI-assisted action context when a user triggers an AI feature

What is not uploaded by default

  • Full repository contents for normal local CLI scans
  • Local-only scan output when --upload is not used
  • Secrets intentionally detected by local scanning, except finding metadata and snippets included in uploaded reports
  • Customer source code for model training

Current enterprise controls

Skylos Cloud currently supports team roles, project API key rotation with secondary keys and revocation, GitHub OIDC verification, per-scan upload attribution, plan entitlements, compliance report surfaces, owner-protected member governance, invite domain restrictions, and activity logging for collaboration and scan upload actions. Activity logs can be exported as CSV, JSON, or NDJSON for review and SIEM ingestion. The current cloud stack uses Vercel and Supabase as managed subprocessors while Skylos owns the application-layer authorization, audit, upload, retention, and incident controls.

Roadmap controls

  • Request IDs and structured API errors for supportable incident triage
  • Complete audit event coverage for administrative, destructive, export, billing, and scan actions
  • Trust Center materials for subprocessors, retention, deletion, incident response, vulnerability disclosure, and security architecture
  • SAML or enterprise OIDC SSO, verified domains, SSO-only enforcement, and SCIM provisioning
  • SIEM delivery, persistent rate limiting, queued scan execution, and SOC 2 readiness evidence
  • Third-party penetration test summary and formal SOC 2 audit path

Enterprise readiness path

Pilot ready

Local-first scans, optional Cloud upload, RBAC, project-key attribution, GitHub OIDC, exportable activity entries, and CI safety gates are in place for controlled security-team pilots.

Procurement ready

The next milestone is operational proof: request IDs, complete audit coverage, Trust Center documents, status monitoring, retention/deletion controls, and CLI-to-Cloud compatibility tests.

Regulated ready

The formal milestone requires enterprise identity, SIEM delivery, pentest evidence, SOC 2 readiness, and then SOC 2 Type I or Type II audit evidence after controls operate consistently.

Security review contact

Report suspected vulnerabilities privately at aaron@skylos.dev. For enterprise pilots, Skylos can provide a security overview, data handling summary, architecture notes, and roadmap status for SSO, SCIM, audit logs, and compliance controls.