Privacy & network
What ShieldX sends out, what it stores locally, and how to run it in restricted environments.
What leaves your machine
ShieldX makes outbound HTTPS requests to a small set of endpoints during a scan:
| Endpoint | Purpose | Toggle |
|---|---|---|
| registry.npmjs.org | Publisher metadata | always on |
| api.npmjs.org/downloads | Download counts | always on |
| api.github.com | Repository presence (verified only) | always on |
| api.osv.dev | Vulnerability advisories | shieldx.enableOsvScan |
Requests carry only the extension ID, publisher name, or dependency name being looked up. No workspace contents, file paths, or user identifiers are transmitted.
Outbound requests to GitHub / NPM registry are only made for extensions that explicitly match verified repository mappings or well-known matching publishers, preventing arbitrary extensions from triggering outbound reputation requests.
What is stored locally
- Last scan — kept in extension global state for fast dashboard rendering
- Scan history — capped list of previous scans in global state
- Scan cache — JSON in extension global storage, used to short-circuit unchanged extensions
- Usage counters — small numeric counters (scans run, exports made)
Nothing in this list contains PII or workspace source code. Reports written via Export live wherever you save them.
Air-gapped or restricted environments
Run with reduced network use:
- Set
shieldx.enableOsvScantofalse - Configure your proxy to allow only the endpoints in the table above, if any
- Expect lower-fidelity scoring — npm reputation and OSV signals will be absent or stale
The scan still produces actionable results from package metadata and code-pattern analysis alone.
Telemetry
ShieldX does not implement product analytics or remote telemetry. Usage counters never leave the machine.
Clearing local data
- Clear scan history — removes stored scans from global state
- Uninstalling the extension removes the global storage cache on next editor launch
- Workspace policy files (
.shieldx.json) are owned by you and never removed by ShieldX
Sensitive workspace heuristic
When a scan flags risky extensions and the workspace contains files that look like secrets (.env, private keys, common cloud credential filenames), ShieldX shows a one-time warning. The check is local and heuristic: matched filenames are never sent anywhere.