Faultline

Security

Metadata-first governance for teams that cannot send source code into another tool.

Faultline is designed around scanner snapshots, customer-controlled deployments, identity-aware access, and signed evidence.

source code stance

No source required by default.

Data boundary

Clear collection boundaries.

Data collected

  • Repository metadata and service identifiers
  • Ownership and CODEOWNERS-derived signals
  • Policy findings and suppression metadata
  • Audit export metadata and accountability events
  • Integration delivery status for configured tools

Data not collected

  • Source code by default
  • Production runtime traces
  • Customer application secrets
  • Developer workstation contents
  • Private incident notes unless explicitly supplied

Deployment model

  • Customer-managed cloud deployment supported
  • PostgreSQL-backed tenant isolation with RLS
  • Redis-backed rate limiting
  • S3-compatible audit evidence exports
  • OIDC identity provider integration

Security posture

Designed for metadata-first governance and customer-controlled deployment paths.

Evaluate Faultline without granting source access. The scanner runs where code already lives, and Enterprise ingests governance metadata by default.

Metadata-only ingestion

Faultline is designed to ingest scanner snapshots, repository facts, ownership signals, policy findings, and audit metadata by default.

OIDC and RBAC

Enterprise access maps identity provider groups into scoped roles for owners, reviewers, support, finance, and operators.

PostgreSQL RLS

Tenant boundaries are enforced in PostgreSQL with row-level security for organization-scoped records.

Redis rate limits

API traffic can fail closed under limiter failures, protecting auth, ingest, export, and token paths.

Signed audit exports

Evidence exports can be encrypted at rest and signed so downstream reviewers can detect tampering.

Encrypted integration secrets

Webhook and integration credentials are encrypted and kept out of repositories and deployment artifacts.

Security FAQ

Controls without inflated claims.

Auth model

OIDC with RBAC. Group-to-role mapping is configurable for Enterprise deployments.

Tenancy model

Organization-scoped PostgreSQL RLS is used for tenant boundaries in the application database.

Audit exports

Exports can be encrypted, retained, and signed for customer diligence and internal reviews.

Secrets handling

Integration secrets and signing keys are stored outside the repository and read at runtime.

Compliance

Security review posture for enterprise buyers.

Compliance posture

SOC 2 Type II audit is planned. Security review materials are available on request - contact security@gofaultline.dev. Review the public DPA readiness page before requesting the enterprise packet.