Spectral Data Collection Addendum

Spectral’s Data Collection Explained

At Spectral, we believe that simplicity improves security. That is why we have tried to make our product as self-sufficient as possible, free from continuous calls to a central server not in your control. 

However, we do need to occasionally collect and post data and post data to enable the best possible experience for the developers. These calls can be to Spectral’s cloud estate or your remote git repositories.

This document explains when, where, and why we collect data across our entire service. We cover what’s sent to the SaaS Dashboard, what’s queried when you install the scan engine, and what happens when you run a scan.

Spectral SaaS Dashboard

The Spectral Dashboard is both SOC2 and ISO27001 compliant, so you know that your data is safe with us. We host our platform in AWS and protect our estate using Check Point CloudGuard Native. 

We never store sensitive data about the scan results and only ingest the bare minimum of metadata. This includes information about what code we scanned, when the scan occurred, and a (sanitized) summary of the scan’s findings.

All scans are performed locally so that your source code and sensitive data never leave your machine. 

All data transmitted over the internet are encrypted at rest with managed keys. We use the modern and safe TLSv1.2 encryption protocol to ensure your data is secure in transit.

Spectral Scan Engine

Installation & Update

When you install the Scanner (which you can learn about here), you download a self-contained binary that does not need any other internet connection to run. Currently, we support the following platforms:

Updating the scan engine overwrites the existing binary.

During the installation and update process, we make only two requests to the SaaS platform:

  1.  /latest/x/<INSTALLER_TYPE> – this call returns the latest version of the installer so that your binary is up to date.
  2. https://dl.spectralops.io/spectral/<VERSION>/<TARBALL> – this link downloads the spectral binary, using the up-to-date version specified in the previous call.


Based on what you are scanning, we might make some additional requests:

Scanning Local Repositories

Spectral scanners can be configured to scan locally without external network access. No further data is requested or sent if you scan a local repository.

Scanning Remote Repositories (Audit)

For scans of remote repos, we need to get the code from the remote repository provider (e.g., GitHub, Bitbucket). To do this, we first get a list of repositories, then enumerate each one, clone each repository and run the scan locally.

Once a scan is complete, we delete the cloned repository from the local environment.

Scanning in CI/CD

If you use the CI/CD integration, the code will perform all the requests from the Installation & Update and Scanning sections. The integration makes requests in the order laid out in this document.

Note: The customer is responsible for maintaining the environment’s security from where the scan is run. 

Stop leaks at the source!