Security
Clear boundaries for code, network access, and reporting.
Iris Code is local-first, not network-free. This page explains the exact boundary so developers can evaluate it without relying on vague claims.
Source analysis stays local
Iris Code analyses source code on your machine. Source files, file contents, project names, and workspace structure are not uploaded to an Iris Code analysis service or an AI model.
Network boundaries
Iris Code makes bounded network requests for:
- sign-in, licence validation, billing, and configuration sync
- limited product-use events, controlled from account settings
- dependency version and advisory lookups after consent
Dependency lookups send only the package ecosystem, name, and version to package registries and OSV.dev. They do not include source code, file paths, project names, or organisation names. CLI consent can be revoked with --revoke-network.
Workspace access and writes
The extension reads supported files and dependency manifests in the open workspace. It writes project files only after an explicit user action, such as generating a config, report, CI workflow, baseline, or installing a hook. Trend and dependency caches stay local to the workspace.
Accounts and credentials
VS Code licence credentials are stored with VS Code's secret-storage API. The standalone CLI can store credentials under the user's home directory and also accepts IRIS_LICENCE_TOKEN for non-interactive CI. Never put a licence token in a committed config file.
Report a vulnerability privately
Email hello@iriscode.co with [Security] in the subject. Include the affected surface, version, reproduction steps, likely impact, and a safe proof of concept.
Do not include live credentials, customer data, or source code you do not own. Reports are reviewed privately before any public disclosure. Iris Code does not currently operate a paid bug-bounty programme.
Related policies
Read the Privacy Policy for personal-data handling and the Terms of Service for service terms.
Catch regressions before human review
Install Iris Code, set a threshold, and make every change answer to the same deterministic rules. Source analysis runs locally. The same rules run in VS Code, the iris CLI, hooks, and CI.