Security of Fimil itself.
A security product earns trust by showing its own posture. This page covers how Fimil handles your code and contains its agent — the live evidence lives on the trust center.
your code
How scans handle your source.
The principle is simple: Fimil's product is findings, not a copy of your codebase.
Ephemeral scan workspaces
Each scanner runs in an isolated environment against a fresh clone of your repo. The workspace is torn down when the scan completes; Fimil stores findings and metadata, not your source.
Output redaction
Scanner and pentest output passes through redaction before storage — discovered secrets and sensitive values are masked in evidence, not persisted in the clear.
Encrypted credentials
Pentest login credentials and TOTP seeds are encrypted at rest and never echoed back through the API once set.
Audit trails
Triage transitions, pentest agent requests, and blocked off-scope attempts all land in audit logs you can inspect.
agent containment
The pentest agent is autonomous — and leashed.
Every request the agent makes passes through a scope guard: a hostname allowlist it cannot leave, destructive HTTP verbs gated off by default, per-host rate limits, DNS pinning with RFC1918 and cloud-metadata IP rejection, and a kill switch checked continuously during the run. Blocked attempts are aborted and written to the audit log.
The full pentest containment modelallowlist: staging.acme.dev, *.api.acme.dev
rate: ≤ 5 req/s per host
verbs: DELETE/PATCH gated · kill switch armed
dns: pinned · RFC1918 + metadata IPs rejected
deployment isolation
Run it where your code never leaves.
Fimil Enterprise deploys into your own Kubernetes cluster — including fully air-gapped installs with offline scanner images. If your threat model says code can't touch our cloud, don't send it to our cloud.
Found a vulnerability in Fimil?
Responsible disclosure is welcome and credited. Email security@fimil.dev — you'll get a reply from the person who wrote the code. Details in the security policy.
live evidence
The trust center is the receipts.
Compliance framework status, 40+ security controls with verification dates, subprocessors, policies, and pre-answered questionnaires (MVSP, CAIQ, VSA) — published openly, updated continuously, and open-sourced for other startups to fork.