Skip to main content
Guardian
Docs
ChangelogFAQContact
Download
Guardian

Release-driven governance platform for engineering teams. Maintain code quality and security at scale.

Product

  • Changelog
  • Docs
  • FAQ
  • Contact

Resources

  • Getting Started
  • Security
  • Configuration
  • Guru AI
  • Monitoring

Legal

  • Privacy Policy

© 2026 Guardian Project. All rights reserved.

Designed & Developed bySenol Dogan

Security | Guardian

Sections

Features

Guru: AI AssistantProject MonitoringReviews & Fix Proposals

General

Getting Started

Operations

InstallationAuthenticationUpdatesConfigurationMigration Guide

Security

Security

Support

Troubleshooting
Documentation

Security

Repository separation, signing model, release hardening, and data protection.

Security Architecture

Guardian implements a defense-in-depth security model with multiple layers of protection:

┌──────────────────────────────────────────────┐
│              🔒 Application Layer             │
│  • Secure credential storage (Keychain/DPAPI) │
│  • Input validation & sanitization            │
│  • CSP-enforced script execution              │
└──────────────────────────────────────────────┘
                       │
┌──────────────────────────────────────────────┐
│             🔐 Transport Layer               │
│  • HTTPS/TLS for API communications           │
│  • Update checks via GitHub Releases          │
│  • Optional custom feed via env override      │
└──────────────────────────────────────────────┘
                       │
┌──────────────────────────────────────────────┐
│              📦 Distribution Layer           │
│  • Optional code signing (build/distribution dependent) │
│  • Versioned release artifacts + metadata     │
│  • Updater signature verification (config dependent) │
└──────────────────────────────────────────────┘

Repository Strategy

Guardian uses a dual-repository model for maximum security:

Source Repository

  • Contains all source code
  • Access restricted to your development team
  • No artifacts or binaries stored here
  • Protected branches with code review requirements

Distribution Repository or Update Host

  • Contains only signed release artifacts
  • Release metadata in latest.json
  • Release records for version history
  • Public or internal access for download and update checks

Key Principle: Never expose source code in distribution locations. Only publish compiled, signed artifacts.

Signing Model

Release hardening depends on your build and distribution setup. Guardian supports common signing and verification patterns, but exact guarantees vary by platform and configuration.

Code Signing

PlatformMethodCertificate
macOSCode signing / notarizationBuild dependent

Update Verification

The in-app updater can validate updates before applying them:

1. Download update package
2. Verify update (for example: signature checks depending on configuration)
3. Apply update if checks pass

If any verification fails, the update is rejected and the user is notified.

Secret Management

What to Protect

Secret TypeStorage LocationNever Store In
API KeysKeychain/DPAPIPlain text files
Private KeysCI SecretsRepository
Auth TokensSecure storagelocalStorage

Configuration Best Practices

  1. Use Environment Variables: For CI/CD, use encrypted secrets:

    # CI example
env:
  ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}

  2. Rotate Keys Regularly: Set calendar reminders for key rotation

  3. Audit Access: Review who has access to secrets quarterly

Data Protection

Local Data

Guardian stores these data types locally:

Data TypeLocationEncryption
SettingsApp data folderOS / filesystem dependent
Scan historyApp data folderOS / filesystem dependent
API credentialsSystem keychainOS keychain encryption

Data Transmission

  • API calls use HTTPS/TLS
  • No telemetry data is collected without consent
  • Scan results are processed locally by default; enabling external integrations may send selected context to third-party services you configure

Content Security Policy

Guardian enforces strict CSP rules (illustrative):

default-src 'self';
script-src 'self';
style-src 'self';
img-src 'self' data: https:;
connect-src 'self' https://api.openai.com https://api.anthropic.com https://github.com;

This prevents:

  • Cross-site scripting (XSS) attacks
  • Unauthorized external connections
  • Code injection attempts

Vulnerability Reporting

Found a security issue? Please report responsibly:

  1. Use the issue tracker for the repository you are using (or your organization's private channel if this is an internal deployment).
  2. Avoid posting exploit details publicly before a fix is available.

Do Not:

  • Post vulnerabilities publicly before a fix is available
  • Attempt to access other users' data
  • Perform destructive testing

Security Checklist

Before deploying Guardian in your organization:

  • Review and approve CSP settings
  • Configure API keys securely (not in plain text)
  • Enable auto-updates for security patches
  • Review network access requirements with security team
  • Document exception handling procedures

On This Page

Security ArchitectureRepository StrategySource RepositoryDistribution Repository or Update HostSigning ModelCode SigningUpdate VerificationSecret ManagementWhat to ProtectConfiguration Best PracticesData ProtectionLocal DataData TransmissionContent Security PolicyVulnerability ReportingSecurity Checklist