Why offline matters
Most SAST vendors run their analysis on their own infrastructure: you upload your source, they return findings. Even when "encrypted in transit", that source code is now stored on a third party's disks, indexed by their search engines, accessible to their staff under subpoena, and one breach away from your competitors.
Regulated industries
Defense, healthcare (HDS), finance, public sector — your code may legally not leave the country, let alone your perimeter.
Audit firms & consultants
You audit other people's code under NDA. Sending it to a SaaS scanner breaks the NDA. SCA runs locally on your laptop, finished.
Trade-secret-heavy products
Algorithms, models, ML pipelines — code that is the IP. No external dependency means no third-party leak vector.
Architecture — what runs where
StaticCodeAudit is a standalone Python CLI. It reads files from disk, applies regex/AST rules from a local catalog, and writes a self-contained HTML report. No daemon, no agent, no background process, no auto-update, no analytics SDK.
┌──────────────────────────────────────────────────┐ │ YOUR LAPTOP / SERVER (network: any or none) │ │ │ │ ┌──────────┐ ┌──────────┐ ┌────────┐ │ │ │ src/ │ ──▶ │ sca/ │ ──▶ │ report │ │ │ │ files │ │ CLI │ │ .html │ │ │ └──────────┘ └──────────┘ └────────┘ │ │ │ │ │ ▼ │ │ ┌────────────┐ │ │ │ rules/ │ │ │ │ (local) │ │ │ └────────────┘ │ │ │ │ No daemon. No agent. No telemetry SDK. │ │ Stops running after the report is written. │ └──────────────────────────────────────────────────┘ ╳ NO outbound HTTP/HTTPS ╳ NO DNS lookup outside the localhost ╳ NO call home for license check (offline-only model) ╳ NO error reporting service ╳ NO auto-update channel
CVE rule packs are delivered out-of-band via signed email attachment (SHA-256 + Ed25519). You install them manually with sca --import-pack. No silent download channel.
See for yourself in 30 seconds
Run StaticCodeAudit behind tcpdump on a small project. You will see exactly zero packets leave your machine for the duration of the audit.
$ sudo tcpdump -i any 'host not 127.0.0.1 and host not ::1' & [1] 12345 $ ./run_audit.py /path/to/your/codebase 🔍 StaticCodeAudit — running 697 rules across 8 languages... ✅ Report generated: docs/audit-reports/SCA-REPORT-2026-05-10.html $ kill %1 0 packets captured 0 packets received by filter 0 packets dropped by kernel $ # Your code never left this terminal.
We dogfood our own tool
Every commit to the StaticCodeAudit codebase is checked against StaticCodeAudit itself. The latest report is public — open it and verify the claims we make about offline operation, zero findings on production code, and full compliance mapping.
What we audit (and how)
- The full repo — 16+ Python modules, 27 000+ test assertions, 645+ builtin rules. Same binary the customer downloads.
- Every commit on main — locally before push, plus a published snapshot at each release.
- All 8 categories enabled — security, code quality, architecture, maintenance, UI, UX, accessibility, dependencies. No category cherry-picked.
- Strict thresholds —
max_high = 0,min_health = 70. A single new high-severity finding blocks the next release. - Historical comparison — every report compares to the previous baseline. Regression visible at a glance.
The report is a self-contained HTML file. Save it locally, open it offline — no network call needed to read it. Findings, severity breakdown, file-by-file drill-down, and the full CWE / OWASP / ISO 27001 / ASVS / NIST CSF mapping per issue.
All past auto-audit reports are preserved in the public github.com/ka8t/Audit-archives.
Clause-type for your DPO / Legal
Copy-paste this clause into your data-flow registry, your DPIA, or your supplier risk assessment. It is factually accurate for any binary delivered by CodeFixture under a current StaticCodeAudit license.
« StaticCodeAudit by CodeFixture is a standalone command-line tool that performs static application security testing (SAST) entirely on the customer's local machine. The tool does not initiate any outbound network connection during analysis: source code, intermediate findings, and final reports are written to the local filesystem only. License verification is done offline against a signed key, with no call to the vendor's infrastructure. The customer's source code is therefore not transferred to, stored by, or processed by CodeFixture. CVE rule packs are distributed out-of-band via signed email attachment and installed manually by the customer. »
Need this clause translated into French, German, Spanish, or signed by the founder for your supplier file? Just ask.
Where does your code go? Compare.
| StaticCodeAudit | Snyk Code | SonarCloud | SonarQube self-hosted | |
|---|---|---|---|---|
| Source code uploaded to vendor | Never | Yes | Yes | No |
| Findings stored on vendor disks | Never | Yes | Yes | No |
| Outbound network call during scan | Zero | Required | Required | License check |
| Telemetry / usage analytics | None | Yes | Yes | Optional |
| Auto-update channel | None (manual signed packs) | Yes | Yes | Manual |
| Subject to vendor breach | Not exposed | Yes | Yes | No |
Comparison based on each vendor's published deployment model as of May 2026. Snyk and SonarCloud are SaaS-only by default; SonarQube self-hosted is a customer-deployed server.
Talk to the engineer who built it
Need a signed clause for your DPO? A network audit log? An architecture diagram for your DPIA? The fastest way is to email the founder directly.
Ask the founder directly