EasyAudit CLI is designed to run entirely offline. This page explains exactly when and how the tool communicates with external servers.
When you run easyaudit scan, all analysis happens on your machine. No source code, file paths, scan results, or any other data leaves your environment. The tool:
- Reads files from disk
- Runs all 20 processors locally
- Writes reports (JSON, SARIF, HTML) to your local filesystem
There is zero network activity during a scan. You can verify this by running the tool with network access disabled.
Only the fix-apply command (paid fixer) communicates with api.crealoz.fr. This is an explicit, opt-in action that:
- Requires authentication (
easyaudit authorEASYAUDIT_AUTHenvironment variable) - Requires confirmation before sending data
- Sends only the specific file contents and rule identifiers needed to generate patches
- Uses HTTPS with strict certificate verification in CI environments
- Source code is immediately deleted from the server once the patch is returned (or on failure)
No other command makes any network request.
| Command | Network activity |
|---|---|
scan |
None |
fix-apply |
api.crealoz.fr (paid) |
auth |
api.crealoz.fr (login) |
| All other commands | None |
Every easyaudit.phar attached to a GitHub release is signed using GitHub Artifact Attestations. This provides cryptographic proof that the PHAR was built by the official CI workflow from the source code in this repository.
Verify a downloaded PHAR:
gh attestation verify easyaudit.phar --owner crealozThis confirms the binary has not been tampered with after build.
See Automated PR docs — TLS / self-signed certificates for details on certificate handling in CI vs local environments.