System Architecture
The three data sources fossabot relies on, how your first-party code is handled, and the security boundaries between analysis steps.
Overview
fossabot's job is to manage dependency updates and review code through intelligent automation. To do that, it relies on three data sources.
Data sources
- Application source code, from a supported version control system: GitHub.com, GitHub Enterprise Cloud, GitHub Enterprise Server, and GitLab (cloud and self-hosted).
- Third-party dependencies. Package manager databases connect the packages declared in your app with their published source code, pulled from public repositories or your configured private mirrors.
- Hosted AI models. fossabot exclusively uses LLM and AI services from Anthropic, under an enterprise agreement with no training on or retention of your data.

First-party code
Your first-party code is cloned during each operation. Each analysis worker is dedicated to a single customer's analysis at a time, and your cloned code is deleted immediately after the analysis completes.
First-party analysis happens locally first, through static analysis tools, and then with AI to understand the relevant call sites. Only then are small code snippets sent to AI services to assess the impact of a change.
Context building and security boundaries
fossabot separates its analysis into stages, with security boundaries between them:
- Direct access: code is on disk during the initial processing and filtering stages.
- Indirect access: later steps work only with metadata and small snippets of code derived from that earlier direct access, which keeps the AI models focused on specific context.
- Collection steps: these run AI web search with the minimum context needed to complete the task.
- Code generation: this is limited to specific call sites, through the
@fossabot fixworkflow. - Third-party communication: this never runs AI. It only transmits data that was already constructed.
