NAME
anvil-security - security practices and product security features
SYNOPSIS
This document describes how Anvil secures your code, how we secure Anvil itself, and how to report security vulnerabilities.
PRODUCT SECURITY FEATURES
Anvil provides the following security capabilities for your development workflow:
Secret Detection
Scans generated code for exposed credentials, API keys, tokens, and other secrets before they reach your codebase. Patterns are updated regularly.
Static Analysis (SAST)
Identifies common security vulnerabilities in generated code including injection flaws, insecure configurations, and unsafe patterns.
Dependency Auditing
Validates dependencies against known vulnerability databases before they are added to your project.
Policy Enforcement
Define custom security policies in Rego. Block patterns, require reviews, or flag violations based on your organisation's standards.
HOW WE SECURE ANVIL
Local-First Architecture
Anvil runs entirely on your machine. Your source code, policies, and AI outputs never leave your infrastructure unless you explicitly configure remote features.
Deterministic Core
The governance engine is deterministic and contains no AI components. Policy evaluation produces the same result every time for the same input.
Signed Releases
All CLI releases are cryptographically signed. Verify signatures with anvil verify or check against our public key.
Dependency Minimisation
The core CLI has minimal dependencies. We audit the full dependency tree and pin versions to prevent supply chain attacks.
No Telemetry by Default
Anonymous telemetry is opt-in. When enabled, it collects only aggregate performance metrics, never code or content.
INFRASTRUCTURE
Hosting
Web services are hosted on Vercel with automatic DDoS protection and edge caching. Backend services run on isolated infrastructure in the EU and US.
Encryption
All data in transit uses TLS 1.3. Data at rest is encrypted using AES-256.
Access Control
Internal access follows principle of least privilege. All access is logged and regularly audited.
RESPONSIBLE DISCLOSURE
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
How to Report
Email security@eddacraft.com with details of the vulnerability. Include steps to reproduce if possible.
What to Expect
- - Acknowledgement within 48 hours
- - Initial assessment within 5 business days
- - Regular updates on remediation progress
- - Credit in our security advisories (if desired)
Scope
In scope: anvil CLI, web properties (*.eddacraft.com), API endpoints. Out of scope: third-party services, social engineering, physical attacks.
Safe Harbour
We will not pursue legal action against researchers who act in good faith and follow responsible disclosure practices.
PGP KEY
For encrypted communications, use our PGP key:
Fingerprint: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXXFull key available at https://eddacraft.com/.well-known/pgp-key.txt
SEE ALSO
AUTHOR
eddacraft Ltd.