1. What to upload
Upload a clean source archive for the project you want checked. Include the code and configuration needed to understand auth, admin access, payments, webhooks, data access, uploads, and production boundaries.
Do not include:
- .env files, API keys, private keys, tokens, passwords, or production credentials;
- customer data, logs, analytics exports, screenshots with personal data, or database dumps;
- dependency folders such as node_modules, build output, local caches, or generated artifacts;
- code or assets you are not allowed to submit for security review.
2. Private storage
Uploaded archives are stored with server-generated names and internal references. In production, uploads are intended to be stored as private Cloudflare R2 objects. Local file storage may be used in development or controlled environments.
Oh My Audit does not create a public URL for the uploaded archive and does not serve the archive as a static website file. Uploaded source archives are automatically deleted after 7 days.
3. Automated scanning
The score worker extracts project files for analysis and may copy them into temporary scanner workspaces. Current production scanning runs in Oh My Audit's worker environment using open-source security scanners and internal heuristics. The checks cover code patterns, secret-pattern detection with redacted output, and dependency vulnerability signals.
The source archive is not uploaded to a hosted scanner SaaS as part of the current self-serve score flow. Some dependency checks may use package names and version information to query public vulnerability data.
Temporary scanner workspaces are removed after each scan. Scanner summaries and selected findings may be stored with the analysis record so you can view history.
4. Operator access
The Full Report and security score are fully automated. Operators may access uploaded code, scanner summaries, and selected findings only as needed to operate the service, troubleshoot issues, and provide support. Access is limited to the workflow and support needed to run the service.
We do not publish private findings, customer project names, or uploaded code without permission.
5. Results and reports
Free scores show a score, launch-risk level, and signal counts. The Full Report adds every automated finding with its location and fix guidance, generated instantly on upload. Results are based on the submitted archive and the context available at the time of the scan.
A score or report is not a guarantee that the project is secure, complete, compliant, or free of vulnerabilities.
6. Deletion
Uploaded source archives are automatically deleted after 7 days. Score, report, scanner summary, payment, and support records may remain after the archive is deleted.
You can request earlier deletion of uploaded archives or account data by emailing contact@ohmyaudit.app. We may need to keep limited records for payment, accounting, fraud prevention, security, or legal reasons.
If you need faster deletion after a sensitive upload, include the account email, app name, original file name, and approximate upload time.
7. Practical limits
Do not treat the upload process as a secure secret vault. Keep secrets out of source archives before uploading. If a secret is accidentally uploaded, rotate it in your own systems first, then contact us for deletion.