Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Data Handling

This page describes what data Odin Scan accesses, how it is processed, and how long it is retained.

Data Accessed

When you run a scan, Odin Scan accesses the following information:

DataSourcePurpose
Repository URLGitHub workflow environmentIdentify the repository under analysis
Source codeCloned from your repositorySecurity analysis by AI and static analyzers. Deleted immediately after analysis.
Branch nameGitHub workflow environmentScope the analysis to the correct branch
Commit SHAGitHub workflow environmentPin the analysis to a specific commit
Analysis configurationAction inputs or API parametersConfigure platform, severity threshold, and output options

Data Sent to the API

The Odin Scan GitHub Action sends the following to the Odin Scan API (api.odinscan.ai) over HTTPS:

  • Repository URL, name, branch, and commit SHA
  • Source code (for analysis only – cloned, analyzed, and deleted immediately after the scan completes)
  • Analysis configuration (platform, severity threshold)
  • Your API key (for authentication)

Important: GitHub tokens provided via the github-token input are never sent to the Odin Scan API. They are used only within the GitHub Actions runner for posting PR comments and uploading SARIF results.

Data Processed Locally

The following operations occur entirely on the GitHub Actions runner and are never transmitted to Odin Scan:

  • SARIF report generation from API results
  • PR comment formatting
  • Workflow annotation creation
  • Artifact packaging and upload

No data from these local operations is sent to third parties.

Source Code Handling

Odin Scan does not store your source code. When a scan runs:

  1. Your repository is cloned to a temporary environment.
  2. The code is analyzed by AI models and static analysis.
  3. The cloned repository is deleted immediately after the analysis completes.

Only the analysis results (findings, severity, code locations, remediation guidance) are retained – never the source code itself.

Data Retention

Analysis results, findings, and repository metadata are stored for as long as your account is active. Historical scan results remain accessible in the Odin Scan dashboard.

Data Deletion

You can request deletion of your analysis data at any time:

  • Self-service: Navigate to Settings > Account > Data Management in the Odin Scan dashboard.
  • Support: Contact support@odinscan.ai for bulk deletion requests or account-level data removal.

Deletion requests are processed in accordance with GDPR and CCPA requirements. See Compliance for details.

Credentials

Odin Scan does not store your GitHub credentials or tokens. API keys are:

  • Transmitted over HTTPS only
  • Stored encrypted at rest using AES-256-GCM (see Encryption)
  • Automatically masked in GitHub Actions logs

The GitHub Action itself is stateless – it retains no data between workflow runs.