Skip to main content

Privacy & network

What ShieldX sends out, what it stores locally, and how to run it in restricted environments.

What leaves your machine

ShieldX makes outbound HTTPS requests to a small set of endpoints during a scan:

EndpointPurposeToggle
registry.npmjs.orgPublisher metadataalways on
api.npmjs.org/downloadsDownload countsalways on
api.github.comRepository presence (verified only)always on
api.osv.devVulnerability advisoriesshieldx.enableOsvScan

Requests carry only the extension ID, publisher name, or dependency name being looked up. No workspace contents, file paths, or user identifiers are transmitted.

Outbound requests to GitHub / NPM registry are only made for extensions that explicitly match verified repository mappings or well-known matching publishers, preventing arbitrary extensions from triggering outbound reputation requests.

What is stored locally

  • Last scan — kept in extension global state for fast dashboard rendering
  • Scan history — capped list of previous scans in global state
  • Scan cache — JSON in extension global storage, used to short-circuit unchanged extensions
  • Usage counters — small numeric counters (scans run, exports made)

Nothing in this list contains PII or workspace source code. Reports written via Export live wherever you save them.

Air-gapped or restricted environments

Run with reduced network use:

  1. Set shieldx.enableOsvScan to false
  2. Configure your proxy to allow only the endpoints in the table above, if any
  3. Expect lower-fidelity scoring — npm reputation and OSV signals will be absent or stale

The scan still produces actionable results from package metadata and code-pattern analysis alone.

Telemetry

ShieldX does not implement product analytics or remote telemetry. Usage counters never leave the machine.

Clearing local data

  • Clear scan history — removes stored scans from global state
  • Uninstalling the extension removes the global storage cache on next editor launch
  • Workspace policy files (.shieldx.json) are owned by you and never removed by ShieldX

Sensitive workspace heuristic

When a scan flags risky extensions and the workspace contains files that look like secrets (.env, private keys, common cloud credential filenames), ShieldX shows a one-time warning. The check is local and heuristic: matched filenames are never sent anywhere.