Your code never leaves your machine
SiteCMD is local-first. Your source, scans, and findings stay on your device. You do not have to take our word for it: every network call the app makes is named on this page, and you can watch the traffic yourself.
See how to verify it yourselfScan data never leaves, period
Everything below is stored in a local SQLite database on your device. None of it is transmitted to SiteCMD servers or any third party.
- Scan results, scores, and issue history
- Your source code and code-scan findings
- Project names, URLs, and configuration
Operational calls, named and minimal
A small set of calls keeps the app licensed and up to date and resolves your dependencies. Each one sends only what it needs to do its job, never your code or scans, and every one is named in the table below.
Analytics and crash reports, off by default
Both are opt-in and stay off until you turn them on. When enabled, they send only anonymized, sanitized diagnostics, never your scans, source, or credentials. The table below lists exactly what each one carries.
Every call, in one table
All network activity the app can produce, by name. Scan-data entries have no host because they never leave your device.
| Call | Host | Sends | Never sends |
|---|---|---|---|
| License activation | api.lemonsqueezy.com | Your license key; A machine-scoped activation identifier: a SHA-256 hash of your device hostname and username encoded as a 16-character hex string prefixed with 'sitecmd-'; the raw hostname and username are never transmitted | Raw hostname or username; Any scan result, source file, project name, or URL |
| License validation | api.lemonsqueezy.com | Your license key; The per-activation instance ID issued when you activated | Any scan result, source file, project name, or URL |
| Update check | releases.sitecmd.com | Current app version; Operating system / platform identifier | Any scan result, source file, project name, or URL |
| Usage analytics | telemetry.sitecmd.com | App version and build channel; Operating system family and CPU architecture; Current subscription tier; Anonymous install identifier (random UUID, not linked to an account); Event name and workflow status; Aggregate counters such as issue totals by severity | Scan targets, project names, source code, credentials, license keys, page content, raw logs |
| Crash and error reports | o447951.ingest.sentry.io | Sanitized error message and exception type; Sanitized stack frame function names and filenames; Sanitized breadcrumb trail (last 30 app events, free-form text scrubbed) | URLs, file paths, emails, tokens, license keys, source snippets, request bodies, raw logs, user identity |
| Dependency and vulnerability lookups | registry.npmjs.orgpypi.orgrepo.packagist.orgcrates.iorubygems.orgproxy.golang.orgapi.wordpress.orgupdates.drupal.orgapi.osv.dev | Package names and versions | Your manifests, lockfiles, or source |
Don't trust us. Watch the traffic.
Run a website scan on a project with no integrations connected and no local code linked, and the only outbound connections go to the site being scanned. Nothing carrying your code or scan results ever reaches a SiteCMD server. The other calls are exactly the ones named in the table above: license validation and updates at startup, and, when you scan a project with linked code, the dependency and vulnerability lookups, which send package names and versions, never your source.
Run your own capture
- macOS: enable Little Snitch alert mode, or run a tcpdump session scoped to the SiteCMD process, then start a scan.
- Any platform: open Wireshark with a capture filter on the app and watch a scan run.
- During a website scan you will see the target site, plus any integrations you connected. You will not see your source code or a SiteCMD scan backend.
- When you scan a project with linked code, you will also see the dependency and vulnerability registries from the table above. That is a separate dependency check; it sends package names and versions, never your source.
- At startup you will see license validation (api.lemonsqueezy.com) and the update check (releases.sitecmd.com). Finding these confirms this page.
For the full per-endpoint reference, see Privacy and data.