iris name is used only for technical identifiers such as the CLI command, settings, and config files.
Source analysis stays local
Iris Code analyses source code on your machine. Source files, file contents, project names, and workspace structure are not uploaded to an Iris Code analysis service or an AI model. The extension reads supported files in the open workspace to calculate health scores, find duplicate code and security smells, and provide editor diagnostics. The CLI applies the same local analysis engine.Network requests
Iris Code makes bounded network requests for:- sign-in, licence validation, billing, and configuration sync
- limited product-use events, controlled from account settings
- dependency version and advisory lookups after consent
~/.iris/preferences.json. Revoke consent at any time:
Workspace writes
Iris Code writes project files only after an explicit user action, such as:- generating or syncing
.irisconfig.json - exporting an HTML report or CycloneDX SBOM
- generating a CI workflow
- locking a trend baseline
- installing a pre-push or build hook
Credentials
The VS Code extension stores licence credentials with VS Code’s secret-storage API. The standalone CLI can store credentials under the user’s home directory and also acceptsIRIS_LICENCE_TOKEN for non-interactive CI.
Never commit a licence token to .irisconfig.json, a workflow file, or source control. Store CI tokens in your CI provider’s secret manager.
Report a vulnerability privately
Email hello@iriscode.co with [Security] in the subject. Include:- the affected surface and version
- clear reproduction steps
- the likely impact
- a safe proof of concept, if available