Trust & Security | Rosentic

Rosentic runs as a GitHub Action on your CI runner. Your source code is parsed locally, the conflict report is posted as a PR comment, and the runner is destroyed. No source code is stored, transmitted, or retained in any mode.

Data flow

What	Where it goes	Stored?
Your source code	Parsed on your GitHub runner	Never stored. Never transmitted. In any mode.
Conflict report	Posted as a PR comment on your repo	In your GitHub, not ours
Anonymous scan metadata (no key)	Rosentic telemetry	Counts only: languages, branches, conflicts, duration. No file paths, function names, or code.
Finding details (with API key)	Rosentic dashboard	File paths, function/route names, line numbers, verdicts, and layers. Never source code or diffs.
Docker image	Pulled from ghcr.io	Public image. You can inspect it.

What we never see

Source code

Never transmitted

Code is parsed on your runner and discarded when the scan completes. No mode changes this.

Git diffs

Never transmitted

Commit contents and line-by-line changes stay on your runner.

File paths and function names

Only with API key

Without a key, no paths or symbols are sent. With a dashboard API key, finding details (paths, names, lines) are stored for history. Source code is never sent.

API keys or secrets

Not required for PR comments

No key needed for the free scan and PR comment. Optional API key enables dashboard history.

Permissions required

Permission	Why
`contents: read`	Read your repo's branches and files to analyze code structure.
`pull-requests: write`	Post the conflict report as a PR comment.

These are the minimum permissions. Rosentic does not request admin access, push access, or any other permissions.

Container security

Trivy-scanned. Every Docker image pushed to ghcr.io/rosentic/rosentic-engine is scanned with Trivy for known vulnerabilities before release.

Ephemeral. The container runs on GitHub's ephemeral runners. When the scan completes, the runner and all local data are destroyed by GitHub's infrastructure.

Deterministic. The engine uses static analysis only. No LLM inference. No network calls during scanning. No external API dependencies during the scan itself. Same input produces the same output every time.

What telemetry is collected

Anonymous scan metadata helps us improve the engine. Here is exactly what is sent:

Sent

Language count
Branch count
Conflict count by severity
Scan duration
Engine version
Agent identifier (if detectable)

Never sent

Source code
File paths
Function names
Line numbers
Branch names
Repository contents
Finding details

How this compares to other GitHub Actions

Rosentic has the same trust model as actions/checkout, actions/setup-node, or any other Action in your CI pipeline. It runs on your runner, uses your compute, and operates within your network. If your team already runs GitHub Actions, Rosentic requires no additional security review.

Questions

If your security team has questions about the Rosentic trust model, email [email protected]. We're happy to walk through the architecture with your team.