Private repo validation
Scan the code founders actually worry about.
Most AI-built SaaS code is private. This MVP path connects GitHub, reads a bounded source snapshot, runs the same deterministic scanner rules, then forgets source after the report build.
GitHub asks for repo scope so private repositories can be read. AbyssGuard uses it server-side to list repos and fetch file blobs for the scan request.
The token is sealed in a short-lived HttpOnly cookie. It is not stored in a report, database, log, or source snapshot.
What AbyssGuard keeps
- Kept for paid scans: normalized findings, file paths, line numbers, confidence, suggested fixes, and report metadata.
- Temporary only: raw scanner output for debugging during the request.
- Not kept: source file contents, GitHub token, secret values, or full repository snapshots.
This is still a cloud scan and static analysis can be wrong. If broad GitHub scope feels wrong for your repo, wait for the local CLI path before scanning private code.