Skip to main content
New aislop v0.9.4: four new Python rules from the SlopCodeBench paper, plus a CLI star prompt and GitHub Discussions. Read more →
Trust

Trust & data handling.

A control layer for your code only earns trust if it is honest about what it does with that code. This page states it plainly: what runs on your machine, what telemetry the CLI sends and how to turn it off, what the hosted platform stores, and what is still on the roadmap rather than shipped.

The short version

The MIT CLI analyzes code locally with no LLM and no network calls to read your source. Anonymous telemetry is on by default and never includes code, and you can disable it with one environment variable.

Local first

The CLI runs locally.

npx aislop scan analyzes your code on your machine. Your source code never leaves it. The analysis is deterministic, with no LLM at runtime and no network calls to read or score your source.

Because the scan is reproducible, the same code produces the same score every time, on your laptop and in CI. There is no model in the loop to drift, and no upload required to get a result.

Telemetry

Anonymous, on by default, easy to disable.

The CLI sends anonymous usage telemetry by default. It helps us see which engines run, on which languages, and how long they take. It never includes your code. Telemetry is auto-disabled in CI.

What it collects
  • Command name (for example, scan)
  • Language detected in the project
  • Per-engine timings
  • Score bucket, not the score detail
  • CI detection
  • Package manager
  • An anonymous install id
What it never collects
  • × File contents
  • × File paths
  • × Source code of any kind
AISLOP_NO_TELEMETRY=1

Set this environment variable to disable telemetry for every run.

DO_NOT_TRACK=1

The standard opt-out signal is honored the same way.

telemetry: { enabled: false }

Set this in .aislop/config.yml to disable telemetry for the project.

Hosted platform

What scanaislop.com stores.

When you connect repositories to scanaislop.com, the platform stores scan metadata and scores to power dashboards, PR checks, and standards across your team. That metadata is what makes a score visible to more than one person.

We aim to store what the dashboards and policy features actually need, and no more. We will keep this page updated as the platform grows so the description stays accurate rather than aspirational. If you cannot send metadata to a hosted service, the self-hosted option below is the path we are building.

Compliance roadmap

Committed, not yet certified.

These are on the roadmap. They are not current certifications, and we do not claim any certification we cannot show you.

SOC 2

Roadmap

A SOC 2 program is planned. We do not hold this certification today and do not claim it.

SSO / SCIM

Roadmap

SAML single sign-on and SCIM provisioning for the hosted platform. On the roadmap.

Audit export

Roadmap

Exportable scan history, score deltas, and exception records for reviewers. On the roadmap.

Self-hosted / VPC

Roadmap

Run the platform inside your own network. On the roadmap.

Read the source for yourself.

The CLI is MIT-licensed and open source. The local-first behavior and telemetry described here are verifiable in the code, not just on this page.

View on GitHub →