Security
FlagLint runs locally against your source files. It does not send source code, flag keys, reports, or migration results to a hosted FlagLint service.
Trust Summary
Section titled “Trust Summary”Local execution — no source upload FlagLint performs AST analysis entirely in the Node.js process on your machine or CI runner. No file content or flag inventory leaves your environment.
No API key required
flaglint audit, flaglint scan, and flaglint migrate do not contact LaunchDarkly or any external API. Classification is based on static source analysis only.
npm Trusted Publishing Releases are published to npm through GitHub Actions using npm Trusted Publishing (OIDC). There are no long-lived npm tokens in the repository or CI environment.
CI and SARIF behavior
flaglint validate generates SARIF from local source analysis. The SARIF file is written to disk only where you configure it. Keep provider credentials out of reports and source fixtures — they may appear in scan output if embedded in source.
Vulnerability reporting Report vulnerabilities privately through GitHub Security Advisories. Do not open a public issue for a security vulnerability.
Privacy and telemetry FlagLint collects no telemetry. The CLI does not phone home. See Privacy for flaglint.dev website data practices.
Runtime and CI Details
Section titled “Runtime and CI Details”- Node.js 20 or newer is required and validated in CI.
- CI validates supported Node.js versions (20, 22) on every pull request.
- Policy SARIF uses rule id
flaglint.direct-launchdarkly. - Repository security policy: SECURITY.md
- Trust documentation: docs/trust.md