Security & API Keys

Ossprey takes security seriously — both in what we protect and how we handle your data. This section covers API key management, data handling, and security best practices.
﻿
API keys﻿
Api Key tableApi Key table
Generating a keyYou can generate an API key from the Account section of the dashboard. Your API key grants access to submit scans via the CLI and API. Keep it confidential and give it a descriptive name so you can identify it later.
﻿
Form for creating an API keyForm for creating an API key
Rotating and revoking keysIf you suspect a key has been compromised, revoke it immediately from the Account section of the dashboard and generate a new one. Active scans using a revoked key will fail, so update your CI/CD secrets and local environment before revoking.
Storing keys securelyEnvironment variables — set API_KEY in your shell or CI/CD environment. This is the recommended approach.
Secrets managers — use GitHub Actions secrets, AWS Secrets Manager, HashiCorp Vault, or your platform's equivalent.
Never commit keys to source control — don't hard-code keys in workflow files, scripts, or configuration files checked into git.
All Ossprey API keys start with ospr_. You can use this prefix to set up secret scanning in your repository (e.g. GitHub secret scanning, git-secrets, or pre-commit hooks) to prevent accidental commits.
Example for GitHub Actions:
env:
  API_KEY: ${{ secrets.OSSPREY_API_KEY }}
Example for local use:
export API_KEY="your-key-here"
ossprey --package ./my-project
﻿
Data handlingOssprey analyses your package manifest files (e.g. package.json, requirements.txt, poetry.lock) and the dependency tree they describe. We access your repository content to generate SBOMs, but we never store your source code.
The data we process includes package names and versions from your manifests, the generated SBOM (Software Bill of Materials), scan verdicts and malware threat information, and environment metadata (e.g. which CI system triggered the scan).
Scan results are stored securely and associated with your account. All data is encrypted in transit (TLS) and at rest.
﻿
Flow of data in OsspreyFlow of data in Ossprey
﻿
Account managementProfile informationUpdate your personal and company details from the Account section. Your email address is linked to your authentication provider (Google, GitHub, etc.) and cannot be changed directly in Ossprey — update it with your identity provider or contact support.
﻿
Account information in the dashboardAccount information in the dashboard
Password managementIf you signed up with email and password, you can reset your password from Account settings. If you use social login (Google or GitHub), your password is managed by that provider.
Communication preferencesToggle whether you'd like to receive product updates, security advisories, and tips. Your preference can be changed at any time.
Deleting your accountContact our support team at  support@ossprey.com  to request account deletion. This is permanent and cannot be undone — all scan history and settings will be removed.
﻿
Security best practicesUse a strong, unique password and enable two-factor authentication with your identity provider
Don't share your login credentials or API keys
Log out when using shared computers
Regularly review and rotate your API keys
Use the principle of least privilege — only grant Ossprey access to the repositories it needs to scan
Monitor the dashboard for unexpected changes in your malware detection count
﻿