Radar processes code in memory during PR analysis. Only the changed files (diffs) from a pull request are analyzed — never the full repository. At most 10 function bodies per PR are sent to the AI engine for deeper analysis. All code snippets are deleted within 24 hours.
Passwords are hashed using bcrypt with 12 rounds. JWT access tokens expire after 15 minutes with 7-day refresh tokens. OAuth integrations with GitHub and Google use industry-standard OAuth 2.0 flows. Rate limiting is enforced on all authentication endpoints (login: 5/min, signup: 3/min, password reset: 3/min).
GitHub webhooks are verified using HMAC-SHA256 signatures with timing-safe comparison. GitLab webhooks use X-Gitlab-Token validation. Stripe webhooks use HMAC signature verification. PayPal webhooks are validated via the verify-webhook-signature API.
All API endpoints use class-validator decorators for runtime input validation. A global ValidationPipe rejects requests with invalid or unexpected fields. Role-based access control (RBAC) enforces owner/admin/member permissions per organization.
The API uses Helmet for HTTP security headers and CORS is configured to allow only known origins. All data is encrypted in transit via TLS. Repository access tokens are stored encrypted at rest with read-only permissions.
If you discover a security vulnerability, please report it responsibly by emailing security@radar.dev. We will acknowledge receipt within 48 hours and work with you to understand and address the issue.