Privacy
This page explains what data the Odin Scan GitHub Action accesses, how that data is used, and what controls you have over it.
Data the Action Accesses
The action accesses the following information from your GitHub workflow environment:
Repository Information
- Repository URL (e.g.,
https://github.com/owner/repo) - Repository name
- Branch name
- Commit SHA
Source Code
Your repository’s source code is sent to the Odin Scan API for analysis. Only the branch and commit specified in the workflow run is accessed.
GitHub Token
If provided via the github-token input, the token is used for:
- Posting PR comments (requires
pull-requests: writepermission). - Uploading SARIF to Code Scanning (requires
security-events: writepermission). - Cloning private repositories for analysis.
The token is never logged or stored by the action. It is automatically scoped by GitHub Actions and expires after the workflow run.
API Key
Your Odin Scan API key (odin_sk_*) authenticates requests to the Odin Scan API. It is transmitted over HTTPS and automatically masked in GitHub Actions logs via core.setSecret().
What Is Sent to the Odin Scan API
The action sends the following data to api.odinscan.ai:
- Repository URL, name, branch, and commit SHA.
- Your source code (for security analysis).
- Analysis configuration (platform, severity threshold).
This data is processed according to the Odin Scan Privacy Policy.
What Is Processed Locally
The following operations occur entirely within the GitHub Actions runner and are not sent to any external service:
- Generating SARIF reports from API results.
- Formatting PR comments.
- Creating workflow annotations.
- Uploading workflow artifacts to GitHub.
Data Retention
By the Action
The action itself is stateless. It does not store or retain any data beyond the lifetime of the workflow run.
By Odin Scan
Your source code is cloned, analyzed, and deleted immediately after the scan completes. Odin Scan does not store your repository code. Only analysis results, findings, and repository metadata are retained. See Data Handling for full details.
By GitHub
- Workflow logs (including action output) are retained according to GitHub’s retention policies.
- SARIF uploads are stored in GitHub Code Scanning.
- Artifacts are retained per your repository settings (default: 90 days).
Third-Party Services
The action communicates with two external services:
| Service | Purpose | Data Shared |
|---|---|---|
Odin Scan API (api.odinscan.ai) | Smart contract security analysis | Repository URL, source code, analysis configuration |
GitHub API (via @actions/github) | PR comments, SARIF upload, repository access | Controlled by workflow permissions |
Privacy policies:
- Odin Scan: odinscan.ai/privacy
- GitHub: GitHub Privacy Statement
Security Measures
- All API communication uses HTTPS with TLS 1.2 or higher.
- API keys are masked in logs via
core.setSecret(). - No credentials are logged or persisted by the action.
- GitHub tokens are used only within the workflow runner environment and are never transmitted to Odin Scan.
Your Rights
Control Over Data Collection
You control what data is sent by:
- Choosing which repositories to scan.
- Configuring workflow triggers (e.g., only on pull requests, specific branches).
- Providing or withholding optional inputs such as
github-token.
Access and Deletion
- Analysis results: Managed through your Odin Scan account at odinscan.ai.
- Workflow logs: Managed through your GitHub repository settings.
- SARIF data: Managed through GitHub Code Scanning settings.
Compliance
The Odin Scan service complies with:
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- GitHub Marketplace Developer Agreement
- GitHub Terms of Service
For details on compliance and security practices, see Security.
Contact
For privacy-related questions:
- Odin Scan Support: support@odinscan.ai
- Action Issues: github.com/Odin-Scan/odin-scan-action/issues