HomeFeaturesPricingDocumentationContactDOWNLOAD

Your code never leaves your machine

SiteCMD is local-first. Your source, scans, and findings stay on your device. You do not have to take our word for it: every network call the app makes is named on this page, and you can watch the traffic yourself.

See how to verify it yourself

Scan data never leaves, period

Everything below is stored in a local SQLite database on your device. None of it is transmitted to SiteCMD servers or any third party.

  • Scan results, scores, and issue history
  • Your source code and code-scan findings
  • Project names, URLs, and configuration
  • Any query to a SiteCMD-controlled or hardcoded third-party DNS service
  • Scan results, page content, or anything beyond the domain name being looked up

Operational calls, named and minimal

A small set of calls keeps the app licensed and up to date and resolves your dependencies. Each one sends only what it needs to do its job, never your code or scans, and every one is named in the table below.

Analytics and crash reports, off by default

Both are opt-in and stay off until you turn them on. When enabled, they send only anonymized, sanitized diagnostics, never your scans, source, or credentials. The table below lists exactly what each one carries.

Every call, in one table

All network activity the app can produce, by name. Scan-data entries have no host because they never leave your device.

CallHostSendsNever sends
License activationapi.lemonsqueezy.comYour license key; A machine-scoped activation identifier: a SHA-256 hash of your device hostname and username encoded as a 16-character hex string prefixed with 'sitecmd-'; the raw hostname and username are never transmittedRaw hostname or username; Any scan result, source file, project name, or URL
License validationapi.lemonsqueezy.comYour license key; The per-activation instance ID issued when you activatedAny scan result, source file, project name, or URL
Domain expiry lookup (RDAP)rdap.orgThe scanned site's registrable domain name (in the request URL), to read the public registration record's expiry date; rdap.org redirects to the TLD registry's public RDAP endpointScan results, page content, credentials, or project configuration
Update checkreleases.sitecmd.comCurrent app version; Operating system / platform identifierAny scan result, source file, project name, or URL
Usage analyticstelemetry.sitecmd.comApp version and build channel; Operating system family and CPU architecture; Current subscription tier; Anonymous install identifier (random UUID, not linked to an account); Event name and workflow status; Aggregate counters such as issue totals by severityScan targets, project names, source code, credentials, license keys, page content, raw logs
Crash and error reportso4511662343127040.ingest.us.sentry.ioSanitized error message and exception type; Sanitized stack frame function names and filenames; Sanitized breadcrumb trail (last 30 app events, free-form text scrubbed)URLs, file paths, emails, tokens, license keys, source snippets, request bodies, raw logs, user identity
Dependency and vulnerability lookupsregistry.npmjs.orgpypi.orgrepo.packagist.orgcrates.iorubygems.orgproxy.golang.orgapi.wordpress.orgupdates.drupal.orgapi.osv.devPackage names and versionsYour manifests, lockfiles, or source

Don't trust us. Watch the traffic.

Run a website scan on a project with no integrations connected and no local code linked, and the only outbound connections go to the site being scanned. Nothing carrying your code or scan results ever reaches a SiteCMD server. The other calls are exactly the ones named in the table above: license validation and updates at startup, and, when you scan a project with linked code, the dependency and vulnerability lookups, which send package names and versions, never your source.

Run your own capture

  • macOS: enable Little Snitch alert mode, or run a tcpdump session scoped to the SiteCMD process, then start a scan.
  • Any platform: open Wireshark with a capture filter on the app and watch a scan run.
  • During a website scan you will see the target site, plus any integrations you connected. You will not see your source code or a SiteCMD scan backend.
  • When you scan a project with linked code, you will also see the dependency and vulnerability registries from the table above. That is a separate dependency check; it sends package names and versions, never your source.
  • At startup you will see license validation (api.lemonsqueezy.com) and the update check (releases.sitecmd.com). Finding these confirms this page.

For the full per-endpoint reference, seePrivacy and data.