Lintel
Book a demo

Security & Trust

Your code stays yours.

Lintel was built by security engineers who wouldn't ship their own code to a third-party SaaS scanner. Every design decision reflects that.

Default posture

Self-hosted. Private. Local-first.

No data egress

Lintel does not phone home. Scans, findings, and license checks run entirely inside your network. You choose which AI provider (if any) sees finding context.

Air-gap ready

Ship the Docker image into a disconnected environment with a local Ollama model. No internet access required for any core workflow.

Single-tenant by design

Each deployment is an isolated tenant. No shared database, no cross-customer query paths, no noisy neighbors.

Cryptography

Strong primitives, sensibly applied.

AES-256-GCM for secrets at rest

AI provider API keys and other secrets are encrypted with AES-256-GCM before being stored in the embedded SQLite database. The master key is read from the SAST_DB_KEY environment variable, or auto-generated to a mode-0600 key file in the data directory.

Ed25519 for licenses & packs

License blobs and rule packs are signed with Ed25519. Verification is offline and deterministic. A tampered or unsigned pack simply will not load.

OAuth2 client-credentials for AI

AI requests are authenticated via the provider's standard bearer-token flow. Tokens are never logged. Request bodies are redacted in audit entries.

TLS from the edge

The reference deployment terminates TLS at Caddy with automatic Let's Encrypt certificates. HSTS, modern ciphers, and OCSP stapling are on by default.

Compliance & standards

Aligned with what your auditors already ask for.

OWASP Top 10

Mapped rules

CWE Top 25

Mapped rules

SARIF 2.1.0

Native export

NIST SSDF

PO, PS, PW, RV

MISRA-CPP 2008

Enterprise pack

SOC 2 Type II

On roadmap

Responsible disclosure

Found a bug in Lintel?

We take security reports seriously. Please email security@lintelcode.dev with a proof-of-concept. We acknowledge within 48 hours and publish a coordinated disclosure with credit.

See security.txt for our signing key and PGP preferences.