Security

Clear boundaries for code, network access, and reporting.

Iris Code is local-first, not network-free. This page explains the exact boundary so developers can evaluate it without relying on vague claims.

Source analysis stays local

Iris Code analyses source code on your machine. Source files, file contents, project names, and workspace structure are not uploaded to an Iris Code analysis service or an AI model.

Network boundaries

Iris Code makes bounded network requests for:

  • sign-in, licence validation, billing, and configuration sync
  • limited product-use events, controlled from account settings
  • dependency version and advisory lookups after consent

Dependency lookups send only the package ecosystem, name, and version to package registries and OSV.dev. They do not include source code, file paths, project names, or organisation names. CLI consent can be revoked with --revoke-network.

Workspace access and writes

The extension reads supported files and dependency manifests in the open workspace. It writes project files only after an explicit user action, such as generating a config, report, CI workflow, baseline, or installing a hook. Trend and dependency caches stay local to the workspace.

Accounts and credentials

VS Code licence credentials are stored with VS Code's secret-storage API. The standalone CLI can store credentials under the user's home directory and also accepts IRIS_LICENCE_TOKEN for non-interactive CI. Never put a licence token in a committed config file.

Report a vulnerability privately

Email hello@iriscode.co with [Security] in the subject. Include the affected surface, version, reproduction steps, likely impact, and a safe proof of concept.

Do not include live credentials, customer data, or source code you do not own. Reports are reviewed privately before any public disclosure. Iris Code does not currently operate a paid bug-bounty programme.

Related policies

Read the Privacy Policy for personal-data handling and the Terms of Service for service terms.

Catch regressions before human review

Install Iris Code, set a threshold, and make every change answer to the same deterministic rules. Source analysis runs locally. The same rules run in VS Code, the iris CLI, hooks, and CI.

VS CodeCursorWindsurfVSCodiumVS CodeCursorWindsurfVSCodium