Migration assurance
Security and source handling
The scanner performs static analysis only. It never executes uploaded code, installs its dependencies or calls Amazon. Source is processed ephemerally; source is not retained.
Upload isolation
ZIP uploads are checked for unsafe paths, archive bombs, symlinks, nested archives and encrypted entries. Unsupported and binary files are skipped.
Secrets and personal data
Credential-like values are masked before they are reported. Sample-data validators redact common personal-data fields, and analytics never receives filenames, snippets or tokens. .env files commonly contain credentials; prefer .env.example or redact all secrets before upload. Pasted text runs browser preflight before submit; uploaded files are received into isolated transient processing and scanned server-side before report persistence. Preflight blocks private keys, LWA client secrets, AWS keys, OAuth tokens, database URLs and password assignments before a report is saved.
Report access
Reports use random private access tokens and expire. Deleting a report removes its stored findings and metadata; uploaded source itself is not retained.
Retention contract
Source is not retained and is discarded when processing completes. The legacy sourceRetentionHours=24 value is only a hard cleanup timeout for exceptional transient buffers. Report findings and metadata are retained for the access period attached to the purchased product: 30 days for Single, 90 days for Bundle and 180 days for each Agency beta project after its first paid scan or unlock. Agency credits expire 180 days after purchase, no new project may be created after credit expiration, and Agency stored report data expires no later than 365 days after pack purchase. Free preview report access is 30 days.
Frequently asked questions
Do you execute uploaded code?
No. Analysis is static; dependencies are not installed and source code is never executed.
Do I provide Amazon credentials?
No. The scanner does not call Amazon and does not require Seller Central credentials.
Official sources
Last reviewed: 2026-07-02.
Open the interactive scanner: /app#/security