HeroDevs

Data Privacy and Security

The data HeroDevs receives from end-of-life scans and how it's kept secure

What data does HeroDevs receive and store?

Legal Data Privacy Agreement Link

Can HeroDevs identify who and where CLI scans are being run?

HeroDevs takes our users' privacy seriously; we intentionally exclude all potentially sensitive data locally on our users’ devices before transmitting any data. This means HeroDevs has no way of identifying what systems, projects, file directories, companies, or persons have run any scans.

What data does HeroDevs receive when I use the CLI scanner?

Our CLI scanner performs two key actions: SBOM Preparation (happens client-side on your machine) and EOL JSON payload delivery to the client from HeroDevs' database.

SBOM Preparation

👉 SBOM creation and anonymization occur on the client's machine. HeroDevs has no access to this data.

Once a scan is initiated, the HeroDevs CLI uses cdxgen within the selected directory to create an SBOM based on any manifest files present. Once the SBOM is generated, the CLI automatically trims and anonymizes the SBOM. This is the only data sent to HeroDevs. HeroDevs uses this list of purls to look up and return each purl's end-of-life status. Below is an example of the exact data sent to HeroDevs:

Example Trimmed / Anonymized SBOM

{
 "input": {
  "sbom": {
   "components": [
    { "purl": "pkg:golang/cel.dev/expr@v0.16.1" },
    { "purl": "pkg:npm/wkx@0.5.0" },
    { "purl": "pkg:npm/wrappy@1.0.2" },
    { "purl": "pkg:npm/ws@8.17.1" },
    { "purl": "pkg:npm/xtend@4.0.2" },
    { "purl": "pkg:npm/yallist@4.0.0" },
    { "purl": "pkg:npm/zen-observable@0.8.15" },
    { "purl": "pkg:npm/zen-observable-ts@1.2.5" },
    { "purl": "pkg:pypi/a2wsgi@1.10.8" },
    { "purl": "pkg:pypi/anyio@4.9.0" },
    { "purl": "pkg:pypi/argon2-cffi@25.1.0" },
    { "purl": "pkg:pypi/argon2-cffi-bindings@21.2.0" },
    { "purl": "pkg:pypi/asgiref@3.8.1" },
    { "purl": "pkg:pypi/attrs@25.3.0" },
    { "purl": "pkg:pypi/authlib@1.3.2" },
    { "purl": "pkg:pypi/autocommand@2.2.2" },
    { "purl": "pkg:pypi/backports-tarfile@1.2.0" },
   ]
  }
 }
}

This anonymized SBOM is a list of purls; HeroDevs does not receive the file path scanned, the project scanned, or any PII about the individual who may have run the scan. All of that information is removed from the SBOM on the user's machine before an EOL Report is generated and returned.

EOL JSON payload delivery

Once HeroDevs receives the above list of purls, an EOL Report is generated, containing all known end-of-life information about the OSS purls. This EOL Report is provided as a JSON payload to the client along with a report URL for easy viewing.

What does HeroDevs do with this report data?

HeroDevs saves the lists of anonymous purls scanned for the following purposes:

  1. Focus data quality improvements on purls users are asking about
  2. Add additional OSS analysis and meta-data for those purls
  3. Evaluate popular end-of-life gaps in open source ecosystems which may benefit from HeroDev's support

The anonymous purl list is not shared, stored, or sold to any other entities.

Configuring and Interpreting Scans
Below is what we consider best practice for optimizing EOL scans, analyzing the results, and aligning remediation actions with your organization's standards.
Previous Article