Security & Trust
Your code stays yours.
Lintel was built by security engineers who wouldn't ship their own code to a third-party SaaS scanner. Every design decision reflects that.
Default posture
Self-hosted. Private. Local-first.
No data egress
Lintel does not phone home. Scans, findings, and license checks run entirely inside your network. You choose which AI provider (if any) sees finding context.
Air-gap ready
Ship the Docker image into a disconnected environment with a local Ollama model. No internet access required for any core workflow.
Single-tenant by design
Each deployment is an isolated tenant. No shared database, no cross-customer query paths, no noisy neighbors.
Cryptography
Strong primitives, sensibly applied.
AES-256-GCM for secrets at rest
AI provider API keys and other secrets are encrypted with AES-256-GCM before being stored in the
embedded SQLite database. The master key is read from the SAST_DB_KEY environment
variable, or auto-generated to a mode-0600 key file in the data directory.
Ed25519 for licenses & packs
License blobs and rule packs are signed with Ed25519. Verification is offline and deterministic. A tampered or unsigned pack simply will not load.
OAuth2 client-credentials for AI
AI requests are authenticated via the provider's standard bearer-token flow. Tokens are never logged. Request bodies are redacted in audit entries.
TLS from the edge
The reference deployment terminates TLS at Caddy with automatic Let's Encrypt certificates. HSTS, modern ciphers, and OCSP stapling are on by default.
Compliance & standards
Aligned with what your auditors already ask for.
OWASP Top 10
Mapped rules
CWE Top 25
Mapped rules
SARIF 2.1.0
Native export
NIST SSDF
PO, PS, PW, RV
MISRA-CPP 2008
Enterprise pack
SOC 2 Type II
On roadmap
Responsible disclosure
Found a bug in Lintel?
We take security reports seriously. Please email security@lintelcode.dev with a proof-of-concept. We acknowledge within 48 hours and publish a coordinated disclosure with credit.
See security.txt for our signing key and PGP preferences.