Skip to content

How we handle source code

What happens to your code when you use CodeCharter, and what does not.

Updated on 2026-05-28

Short version: your source code never leaves your environment. Analysis runs locally, we pull nothing into our cloud, and we send nothing to an LLM endpoint.

What happens during a CodeCharter run

codecharter analyze .
    │
    ▼
Your machine / your CI runner reads .cs files
    │
    ▼
MSBuild parses them into a code model (locally)
    │
    ▼
Built-in and custom rules run against the model (locally)
    │
    ▼
Findings appear in the console or an output file (locally)

Network access by the CLI during analysis: none.

You can verify this: disconnect the machine from the network and the analyze run still completes.

What goes over the network

Only two things, and both are voluntary:

  1. CLI download from the portal. When you run codecharter analyze, the CLI must be on the machine. The one-time pull from the portal endpoint is the only network touch.

  2. API calls from CI to the portal. The GitHub Action or your own scripts call https://codecharter.tools/... to fetch the current CLI binary. Bearer authentication with your API key.

Both calls contain no source code, only metadata (version, platform, API key).

What bochmann-software can know about your code

What Do we know?
Which repos you have no
Which languages you use no
Which findings appear in your code no
Which file names you have no
Which rules you have active no
When you pulled the CLI yes
Which platform the pull was yes
Which API key pulled yes
Which CodeCharter version yes

We log only what we need for operations (subscription management, download audit).

Benefits of local analysis

  • GDPR and NDAs stay straightforward. When your code never reaches our servers, there is no data processing overhead for analysis data. The DPA covers only contact data and subscription records.
  • Reproducible builds. Analysis on your machine runs independently of our service availability.
  • Confidence in security reviews. Source code is more sensitive than contact data. With CodeCharter, that layer stays in your hands.

What would happen in a security incident

If someone were to break in and gain access to our database and servers:

  • Source code: not affected because it is not stored with us.
  • Findings from your codebase: not affected because they are not stored with us.
  • Login data (email + password hash) would be affected. We never store plaintext passwords; the hashes cannot be reversed directly.
  • API key hashes would be affected — in that case we would immediately revoke all existing keys and ask you to issue new ones.

We would notify you within 72 hours (GDPR standard).

If you want to look deeper

The CLI is closed-source; you cannot see the exact code. However:

  • We offer an on-request security review with your team (source walkthrough, architecture Q&A).
  • We give penetration testers access to a test instance on request.
  • We can send hash values of distribution binaries in advance on request so you can verify supply-chain integrity.

Write to us if you need any of this.