Security
How BouncerFox protects your codebase and itself.
Offline by Default
No network calls are made unless BOUNCERFOX_API_KEY is set or --github-comment is used. The scanner runs entirely on your machine.
No Code Execution
BouncerFox reads and analyzes files. It never executes scanned content. All detection is based on pattern matching and structural analysis.
No Secret Exfiltration
SEC_001 findings never store matched secret values in output. The finding reports that a secret was detected, but the actual value is never included in table output, JSON, SARIF, or platform uploads.
Input Limits
| Limit | Value |
|---|---|
| Max file size | 1 MB |
| Max scannable files | 500 |
| Max JSON nesting depth | 10 levels |
| Scan timeout | 5 minutes |
Symlink Containment
Symlinks that resolve to paths outside the scan root are rejected. This prevents path traversal attacks where a symlink points to sensitive files outside the project directory.
RE2 Regex Only
All pattern matching (built-in rules and custom rules) uses Go's RE2 regex engine. RE2 guarantees linear-time matching, which eliminates ReDoS (Regular Expression Denial of Service) attacks. No lookaheads or backreferences are supported.
Signed Releases
Release binaries include SLSA provenance attestation generated by GitHub Actions. Verify any downloaded binary with:
gh attestation verify ./bouncerfox --owner bouncerfox
This confirms the binary was built by the official GitHub Actions workflow from the bouncerfox/cli repository.
Reporting Vulnerabilities
See SECURITY.md in the CLI repository. Do not open public GitHub issues for security vulnerabilities. Email security@bouncerfox.dev instead.