Colosseum

Your code is safe. Here's how.

Every scan runs in isolated infrastructure. Your source code is never stored.

We analyze your Python code in isolated environments using static analysis. Your source code is deleted immediately after the scan completes. Only findings and metadata are retained.

What happens to your code

  1. 1

    Clone

    Your repo is cloned to an isolated environment using the token you provide (for private repos) or public HTTPS (for public repos). The clone is temporary.

  2. 2

    Analyze

    Code is parsed and analyzed using structural code analysis and pattern matching. No code is executed. No network access from the analysis environment.

  3. 3

    Report

    Vulnerability locations, severity scores, and remediation guidance are extracted. Only metadata is retained.

  4. 4

    Delete

    The cloned repo is permanently deleted. Filesystem wiped. Environment destroyed.

What we store

We Store

  • Finding locations (file paths, line ranges)
  • Severity grades (Critical, High, Medium, Low)
  • Vector types (e.g., SQL injection, hardcoded secret)
  • Remediation guidance text
  • Tool comparison results (bandit, semgrep overlap)
  • Scan metadata (timestamp, repo URL, LOC count)
  • Your email address (for report delivery)

We Never Store

  • Your source code
  • File contents
  • Git history
  • Dependencies or libraries
  • Environment variables
  • Secrets or credentials
  • GitHub Personal Access Tokens

How analysis works

Static analysis only

Colosseum uses structural code analysis and pattern recognition. Your code is never executed, meaning no risk of triggering unintended side effects.

Python codebases

Currently supports Python. JavaScript, TypeScript, and Go are on the roadmap.

No network access

Analysis environments run without internet access. Your code cannot send data externally during the scan.

Encryption

In transit. All connections to BattleHarden use TLS 1.3. HSTS is enabled with a 1-year max-age. API and webhook traffic is encrypted end-to-end.

At rest. Database storage is encrypted at rest using AES-256, managed by Supabase (hosted on AWS). Backups are encrypted by the hosting provider.

Secrets management. API keys, tokens, and credentials are stored in environment variables, never in source code or database. GitHub Personal Access Tokens are held in memory only during clone operations and never persisted.

How we handle GitHub tokens

Used once. When you provide a Personal Access Token for private repo access, it's used once to clone the repo via HTTPS. The token is never written to disk.

Never stored. The token is held in memory only during the clone operation, then immediately discarded. It never touches our database.

Read-only scope. We only require repo read access. Tokens with write permissions work but are unnecessary.

Revoke anytime. You can revoke the token in your GitHub settings immediately after the scan completes. The scan report remains accessible.

Isolation model

Container per scan. Every scan runs in a dedicated, ephemeral environment. No shared filesystem, no shared network, no cross-contamination between scans.

Filesystem wipe. After findings are extracted, the environment filesystem is wiped and destroyed.

No persistent storage. Analysis environments have no access to persistent storage volumes. All data is ephemeral.

Incident response

Dedicated contact. Report security incidents to security@battleharden.dev. This mailbox is monitored and triaged with high priority.

72-hour breach notification. If a data breach occurs, we notify the relevant supervisory authority within 72 hours (GDPR Article 33) and affected users without undue delay (GDPR Article 34).

Post-incident review. Every security incident receives a root cause analysis and post-mortem. We publish a summary of the incident, its impact, and the preventive measures taken.

Responsible disclosure

We welcome responsible security research. If you discover a vulnerability in BattleHarden, please report it to security@battleharden.dev.

What to expect:

  • Acknowledgment of your report within 48 hours.
  • An initial assessment and estimated fix timeline within 5 business days.
  • Notification when the issue is resolved.
  • Credit in our security acknowledgments (if you wish).

Safe harbor. We will not pursue legal action against security researchers who act in good faith, comply with this policy, and avoid accessing or modifying other users' data. Please do not publicly disclose vulnerabilities until we have had a reasonable opportunity to address them.

Sub-processors

The following third-party services process data on our behalf to operate BattleHarden:

Sub-processorPurposeLocationPrivacy Policy
SupabaseAuthentication, user data storageUnited StatesLink
StripePayment processingUnited StatesLink
VercelFrontend hosting, edge networkUnited States / EULink
ResendTransactional email deliveryUnited StatesLink

We notify customers of changes to our sub-processor list. If you have concerns about a sub-processor, contact us at privacy@battleharden.dev.

Compliance & certifications

  • NowGDPR compliance documentation (Privacy Policy, DPA, sub-processor list)
  • Q3 2026SOC 2 Type II
  • 2027HIPAA-eligible infrastructure (Enterprise tier)

If your organization requires specific certifications, contact us to discuss enterprise options.

Current limitations

Colosseum currently analyzes Python codebases only. JavaScript, TypeScript, Go, Rust, and Java support is on the roadmap for 2026.

If your codebase is multi-language, only Python files will be analyzed in the current version.

See our pricing plans for Python code analysis.

Questions about security?

If you're evaluating Colosseum for your team and have security or compliance questions, we're happy to answer them.

security@battleharden.devorstart a free scan