Privacy
Privacy Policy
Fendix is open-source, self-hosted, and collects zero telemetry. Here is exactly what happens with your data.
What Fendix collects
- Fendix is a self-hosted tool. It does not send any data to external servers.
- When scanning, Fendix sends HTTP requests only to the target URL you provide.
- White-box analysis reads source files from the local file system — no code is uploaded anywhere.
- No analytics, telemetry, or usage tracking is included in the open-source distribution.
Credential handling
- Auth tokens passed via --auth are used only during the scan and are never persisted to disk.
- All credentials are masked as [REDACTED] in scan reports (JSON, HTML, and SARIF output).
- The web dashboard stores tokens in browser localStorage — they are never sent to third-party services.
Scan reports
- Reports are generated locally and saved to the path you specify with --output.
- HTML reports are self-contained single files with no external dependencies or tracking scripts.
- No report data is transmitted to Fendix maintainers or any remote service.
Active probes
- Active injection probes (SQLi, CMDi, CRLF) are always OFF by default.
- Probes are rate-limited to a maximum of 20 per endpoint to prevent excessive traffic.
- A legal disclaimer is shown in the terminal whenever --enable-active is used.
- You are responsible for obtaining authorization before running active probes against any target.
Third-party dependencies
- The dependency CVE checker queries public advisory databases (PyPI, npm) to identify known vulnerabilities.
- Semgrep runs locally — no source code is sent to Semgrep servers when using Fendix.
- All third-party tools are invoked locally; no data leaves your machine.
For responsible disclosure of security vulnerabilities, see our Security Policy.
Security PolicyLast updated: March 2026. This policy applies to the open-source Fendix distribution.