Code Security Posture

Version 1.0

Executive Summary

Keygraph does not retain customer source code in full after analysis completes. Specific fragments required to render findings, deduplicate results, and propose remediations are persisted, and every byte of code-derived state, including any descriptive references to code, is encrypted at rest. This document describes the architectural and operational controls that enforce this posture across our cloud and self-hosted deployment models.

Core Principle: Ephemeral Compute, Encrypted Persistence

Several Keygraph analysis jobs (SAST, secrets detection, IaC scanning, SCA) require read access to source code. Keygraph performs these operations in short-lived, isolated environments backed by encrypted storage:

  • Each repository is cloned into a fresh, ephemeral container dedicated to that scan job.
  • Containers run with no shared state with other tenants and no reuse across scan runs.
  • The working copy of the cloned repository lives only in the container's ephemeral filesystem and is destroyed when the container is terminated.
  • During the scan, the container has scoped write access to a tenant-isolated, encrypted-at-rest S3 bucket where intermediate artifacts are persisted. The full source tree is not written to this bucket.
  • After analysis completes, the container is terminated and its ephemeral storage is wiped.

Persisted state after a scan consists of structured findings (issue metadata: location, severity, rule ID, fingerprint), a small number of intermediate analysis artifacts required to render and triage findings, and the code snippets explicitly described in the Code Retention section below. All such state is encrypted at rest.

Integration Permissions

Keygraph requests the minimum scope required for each integration:

  • The default scope is read-only on the repositories selected for scanning.
  • Write access is requested only when the customer explicitly enables Code Remediation (remediation pull requests).
  • Permissions can be revoked at any time from the source control provider's UI without coordination with Keygraph.

Deployment Models

Keygraph Cloud

  • Runs on AWS with regional isolation.
  • Data residency available in US and EU regions.
  • All processing and storage for a tenant remains within the selected region.
  • No cross-region replication of customer data.

Self-Hosted

  • Full deployment runs inside the customer environment.
  • Supports fully airgapped installation with no outbound calls to Keygraph.
  • Customer retains end-to-end control of code, scan infrastructure, and findings.
  • Suitable for regulated workloads, classified environments, and customers with strict data residency requirements.

Scan Workflow

The end-to-end repository scanning workflow:

  1. Select — User or CI pipeline triggers a scan for a configured repository.
  2. Provision — Keygraph spins up a fresh, isolated container with scoped credentials, including a tenant-scoped role for the encrypted S3 artifact bucket.
  3. Clone — Container performs a shallow git clone of the target ref into its ephemeral filesystem.
  4. Scan — Analysis engines (SAST, secrets, SCA, IaC) run against the working copy. Intermediate artifacts required for finding generation are written to the encrypted S3 bucket; the source tree as a whole is not.
  5. Encrypt and emit findings — Results are serialized, encrypted in transit, and written to the findings store. Any code snippets attached to findings are encrypted at rest, as are textual descriptions that reference code.
  6. Destroy — Container is terminated; ephemeral storage holding the working copy is wiped.

The container is single-use. No reuse across repositories, customers, or scan runs.

Code Retention: Disclosure

Keygraph does not persist the full source tree, but a small set of features require retaining specific fragments of code or code-derived data. The categories below are the complete list. All retained data, including any descriptive text that references code, is encrypted at rest.

Code Snippets for Findings

To display findings in the UI with surrounding context, Keygraph stores short code snippets associated with each issue:

  • Snippets cover only the lines relevant to the finding plus a small surrounding window.
  • Snippets are stored encrypted at rest.
  • Snippets are scoped to the tenant and the specific finding; they are not used for any cross-tenant function.

Intermediate Analysis Artifacts

Some scan engines emit intermediate artifacts (for example, dependency graphs, SBOM data, parsed configuration, and engine-specific working state) that are required to produce findings, deduplicate across runs, and support triage workflows.

  • These artifacts are written to a tenant-isolated, encrypted-at-rest S3 bucket.
  • The full source tree is not part of these artifacts.
  • Retention is bounded by the tenant's data retention policy.

Code Remediation

When Code Remediation is enabled, Keygraph stores diffs for files that are part of a proposed fix:

  • Original code, limited to the files being modified.
  • Remediated code, the proposed replacement.
  • Files outside the fix scope are not retained.

This data is required to render diffs in the UI and to open pull requests against the source repository.

SAST Findings (AST)

For each SAST finding, Keygraph stores an Abstract Syntax Tree (AST) representation of the relevant code region. The AST is used for:

  • Finding deduplication across scans.
  • Taint flow visualization in the UI.

ASTs are written to the same tenant-isolated, encrypted-at-rest S3 bucket used for intermediate analysis artifacts. Raw source files are not retained; only the AST fragment associated with the finding.

Encryption

All retained code-derived data, including code snippets, intermediate artifacts, Code Remediation diffs, SAST ASTs, and any descriptive text that references code, is encrypted at rest using AES-256 with keys managed in a regional KMS. Transport is TLS 1.2+ for all integrations and API traffic.

Summary

Property Keygraph Cloud Self-Hosted
Full source tree stored No No (customer controlled)
Code-derived data persisted Snippets, intermediate artifacts, Code Remediation diffs, SAST ASTs (all encrypted) Customer controlled
Network egress To Keygraph control plane only Optional / airgap supported
Data residency US or EU region Customer environment
Default integration scope Read-only Read-only
Container lifecycle Ephemeral, single-use per scan Ephemeral, single-use per scan
Encryption at rest AES-256, regional KMS Customer-managed KMS supported
Encryption in transit TLS 1.2+ TLS 1.2+

Posture Statement

Source code should leave the customer's perimeter for the shortest possible duration, only when scanning requires it, and never to a shared or persistent store. Where code-derived state must be retained to deliver a feature, the retained surface is narrow, encrypted, scoped to features the customer explicitly enables, and revocable.

For audit-ready documentation, including encryption key management procedures and incident response, contact security@keygraph.com.