Security

Least-Privilege Access

Proxilion requests only the permissions it needs: read access to pull request diffs, and write access to check runs and review comments. It cannot push code, merge PRs, modify branches, or access repositories you haven’t explicitly connected.

Zero Code Retention

Source code is never written to disk or stored in any database. Diffs are fetched into memory, scanned, and immediately discarded. Only scan findings are persisted — file paths, line numbers, and vulnerability descriptions. Evidence snippets are masked to prevent leaking sensitive values.

Encrypted in Transit & at Rest

All external traffic is encrypted with TLS 1.3. Internal service-to-service communication travels over a private network that is never exposed to the public internet. Persistent data is encrypted at rest using AES-256 by the underlying storage provider.

Cryptographic Webhook Verification

Every incoming webhook from GitHub and GitLab is verified against its HMAC-SHA256 signature before processing. Invalid signatures are rejected immediately. Signature comparison uses constant-time algorithms to prevent timing-based attacks.

Multi-Layer Rate Limiting

Abuse is prevented at multiple levels: per-organization and per-repository request caps, duplicate-scan detection, payload size limits, and automated cost circuit breakers. These controls are enforced before any scan work begins, protecting both Proxilion and your usage budget.

Headless Architecture

Proxilion operates as a headless service. The primary interfaces are PR comments on GitHub/GitLab and optional Slack notifications. A thin web interface exists for initial setup, configuration, and audit log review. No sensitive data is displayed in the dashboard — it serves only as a control plane.

Safe AI Processing

AI-powered reviews send only the diff context to the AI provider — never full repository contents. The AI provider is contractually prohibited from using API inputs for model training. A circuit breaker automatically disables AI reviews during provider outages, falling back to pattern-only scanning so your PRs are never blocked.

Notification Security

When configured, scan results are sent to your Slack workspace via incoming webhook. Proxilion transmits finding summaries only — no source code is included in Slack messages. Weekly summary emails are sent via Resend and contain aggregate scan statistics only. No source code or finding details are included in email content.

BYOK (Bring Your Own Key)

When using BYOK, customer API keys are encrypted at rest using AES-256. Proxilion never logs or transmits API keys. Keys are only decrypted at the moment of use and are immediately discarded from memory after the API call completes.

Self-Healing & Dogfooding

Proxilion scans its own codebase using the same pipeline it runs for customers. Self-healing improvements are proposed via pull request and require human approval before deployment. This ensures the scanner is continuously tested against real-world patterns.

Input Validation & Hardening

All external inputs — webhook payloads, API parameters, and dashboard form submissions — are validated and sanitized before processing. Query parameters are type-checked with safe defaults. JSON body parsing is wrapped in error handling to reject malformed requests. CSV exports are protected against formula injection.

Immutable Audit Trail

Every security-relevant action is logged with a timestamp, actor, and context:

• Scan starts, completions, and failures
• Finding dismissals with reviewer attribution
• Configuration and policy changes
• Billing and subscription events
• Dashboard access and user management

Logs are retained for the duration of your subscription. Records older than 90 days are archived to durable long-term storage.

Graceful Failure & Isolation

Each service runs in its own isolated process with independent health checks and automatic restart on failure. Timeouts are enforced on all external API calls (GitHub, GitLab, AI provider, billing). A failed scan never blocks the processing of other repositories or organizations.

Data Lifecycle & Deletion

When you cancel your subscription:

• Scans stop immediately; dashboard access continues until the billing period ends
• After 90 days: findings, audit logs, and configuration are archived
• After 180 days: all data is permanently deleted

Immediate deletion is available on request at any time.

Reporting a Vulnerability

If you discover a security issue in Proxilion, please report it to our contact form. We respond to all reports within 48 hours.