Local scanning with explicit, auditable entitlement checks.

Code Radar is designed for teams that need security review evidence without sending source code to another hosted scanner.

What leaves the machine

This is the security contract the product should be judged on. Source code stays where the scan runs; entitlement and attribution metadata go to the licensing backend.

Source code Not uploaded by Radar. Scans run in the local workspace or GitHub Actions runner.

License keys Stored server-side as HMAC hashes. Raw keys are not persisted in database rows.

Machine identity Hardware-derived component hashes are sent, not raw hardware identifiers.

Telemetry Metadata-only events for attribution and product usage. No source paths, snippets, secrets, or repository contents.

CI validation GitHub Actions validates online on each run and consumes repository slots for paid CI plans.

Reports SARIF, JSON, HTML, and terminal output are written only where the command runs.

Controls against free usage and shared-key abuse.

Radar cannot be impossible to crack, but the production design raises the cost: server-side validation, signed entitlements, database-backed plan limits, rate limits, and separate local/CI slots.

Fail-closed entitlement Paid commands require online validation. Expired, revoked, or over-limit licenses do not silently continue.

Slot abuse control Machine and repository limits prevent one key from becoming unlimited installs or CI usage.

Rate limiting Activation, validation, checkout, and analytics endpoints use server-side rate limits and abuse logging.

Paddle/AppSumo separation Payment and redemption providers feed the licensing backend; plan limits stay in database records.

Need the operational path?

Start with local install, then add MCP and GitHub Actions only when your workflow needs shared enforcement.

Install docs GitHub Actions docs