Security is our middle name

At Zenable, security is foundational. Our architecture and processes are designed from first principles to minimize risk, enforce least privilege, and maintain transparency with our customers.

Nothing in our system has permission to make direct changes to your environment; Zenable systems can create comments on Pull Requests with code suggestions and provide feedback directly into your IDEs and to your AI coding assistants, but any changes to customer environments are directly managed by users.

Data Security

We do not store customer code beyond the life of the review itself.

All systems, including test systems, use TLS 1.2+ to encrypt all data in transit.

Application Security

All dependencies are updated at least weekly.

We have hundreds (and growing) of different requirements which are automatically enforced via Policy as Code. In order for code to be merged and released, it must pass all of our Policy as Code automation, as well as the appropriate automated testing and validation.

Every service in our platform has an independent execution permissions which are managed on a service-by-service basis, and runs with the minimum permissions required to perform its job.

Additionally, we enforce that all code changes to the Zenable platform must be peer reviewed by the appropriate parties using code owners, rulesets, and other techniques to ensure our own development processes meet high security and reliability standards.

In addition to internal reviews, we now perform self-reviews of automated PR comments as a secondary layer of defense against low-quality or inaccurate suggestions.

Infrastructure Security

We run all of our systems in AWS using cloud-native principles: all compute workloads are short-lived, and all deployment pipeline credentials are retrieved just-in-time using least privilege OIDC.

Every resource in our environments is deployed using fully automated and declarative systems via Infrastructure as Code and their dependencies are updated on a weekly basis.

Compliance Roadmap

We're preparing for a SOC 2 Type II audit, with expected attestation in 2026.

Reporting Security Issues

Think you found a security issue? Please follow responsible disclosure guidelines and report it to security@zenable.io.

Frequently asked questions

You've got questions, we've got answers.

If I use your software, will you train or fine-tune models using my code?

No.

Regardless of if you're on a free or paid tier, we do not train or fine-tune using our user's code. To learn more, see our Terms.

Which Zenable tools should I start with?

The best way to get started is to get signed up and go through our onboarding steps. That should get you everything you need; we pride ourselves on integrations with version control systems, IDEs, our CLI tool, git hook integrations, and more. But not everybody needs everything, and that's what the onboarding process will nail down.

How’s your security?

Zenable has been built from the ground-up with modern software development and security practices. We employ a series of security controls to ensure your data is safe; for more details see our Security page or you can reach out with any specific questions.

How do I get started?

First, we recommend setting up a free (no credit card required) trial of our Pro tier. That'll get you access to all of our integration points to kick the tires. From there, if you find what we have interesting you can look at rolling it out for your team via our Pro or Enterprise tiers. If you'd like to just keep using it individually, you're welcome to continue via our Free tier which includes daily usage of PR code review, IDE integrations, our CLI, and more — 100% free.

To get more details about how those tiers differ, see our comparison table or Plans & Usage pages.

Is this just all AI?

This question used to be titled "Are you really using AI or is it just a buzzword?" — but we think we're past that now.

Zenable's approach is that using AI to review and improve software is extremely useful, but it's only a part of the solution. Deterministic guardrails are critical to give 100% certainty of findings and outputs given the same input, as well as strong audit evidence and logs to support high assurance environments.

We also believe that Observability — the ability to measure, monitor, and evaluate systems based on telemetry — is necessary in order to know that you're focusing on the right problems to solve. The speed of AI brings a lot more uncertainty with where you should be spending your time, and so we centralize and report on tons of information that we use to customize every part of the Zenable stack to your environment, as well as to allow you to oversee how coding agents are being used to guide decision making.

Still have questions?

Book a call with our team to discuss your security requirements.