Security

Public scans use the public GitHub, GitLab, or Bitbucket URL submitted by the user. Private scans use the configured GitHub App flow and require the signed-in user to have access to the selected installation and repository.

For private scans, SlopCop mints a short-lived GitHub App installation token immediately before cloning. The backend uses that token for the clone operation and is designed not to persist installation tokens or tokenized clone URLs.

Private scan report, log, progress, cancel, and publish operations require a valid requester claim that matches the stored private scan owner. A leaked private scan ID by itself should not be enough to access private scan artifacts.

Unpublished private-scan disagreement submissions are redacted in administrator queue views and do not expose repo identity, scan linkage, or note text through the normal admin scan-detail flow unless the scan is published.

The frontend validates GitHub installation and repository visibility before proxying private scan creation to the backend. The backend still performs its own validation and rejects private scan creation when the requester claim is missing, invalid, or mismatched.

SlopCop should not log or persist GitHub App installation tokens, user OAuth tokens, or tokenized clone URLs. Known token shapes are redacted from clone logs before they are stored or shown.

Do not paste secrets, access tokens, private keys, credentials, or regulated personal data into repository names, signatures, issue text, scan comments, or other fields that may appear in reports or logs.

SlopCop clones repositories into temporary workspaces and runs the configured analysis engine against the checked-out code. Operators should deploy SlopCop in an isolated environment appropriate for processing untrusted source code.

Brokk-backed scans additionally run the Brokk executor in read-only mode, which removes local destructive executor tools during repository analysis.

The configured executor, model provider, email provider, hosting provider, and GitHub integration are part of the security boundary for a deployment. Operators are responsible for configuring those services and protecting their credentials.

SlopCop is focused on code quality, maintainability, and AI-generated slop signals. It is not a full vulnerability scanner, penetration test, compliance certification tool, or secure code review replacement.

Security-related findings, when present, should be treated as leads for qualified review rather than verified vulnerabilities.

If you believe you have found a vulnerability in SlopCop, report it privately to [email protected]. Include the affected route or component, reproduction steps, impact, and any relevant logs that do not expose secrets.

Do not publicly disclose a vulnerability or access another user's scan data while testing. We appreciate reports that avoid data destruction, service disruption, social engineering, and access to repositories or accounts you do not own.