Where your data lives

Seal stores the operational state of your tenant on the Seal Platform: the packages it has discovered, the vulnerabilities associated with them, the Sealing Rules you have created, your Seal Projects' configuration, your tenant's users and tokens. This is the data the UI displays, the CLI works against, and the API exposes.

What Seal sees varies with the package discovery mode of each Seal Project.

Source code mode

Seal connects to your source control (GitHub, GitLab, or Azure DevOps), reads dependency manifests directly, and uses the resolved dependency graph to record the packages discovered for that Seal Project. Seal does not retain your source code; it parses manifests for the package list and stores that.

For GitHub, the Seal GitHub App may also open automatic pull requests against your repositories when configured. Those PRs are written into your repository like any other PR.

CLI mode

Seal sees only what the Seal CLI reports during a CI/CD run. The CLI inspects your build's dependency tree, sends the package list to the platform, and applies sealing actions. The platform does not receive your source code; it receives only the package list and fix-result telemetry the CLI reports.

This is the path most often chosen by source-restricted organizations. Seal can fully operate without read access to your source code.

Artifact server mode

Seal sees only the sealed packages your build pulls from the Seal Artifact Server. There is no upfront record of what is in your project; the platform's view fills in over time as your CI/CD pulls artifacts.

Imported manifest mode

You upload a manifest file or SBOM once; Seal parses it and records the discovered packages. There is no ongoing connection between Seal and the source of the manifest; the result is a snapshot at the time of upload.

What Seal never sees

In any package discovery mode, Seal does not see:

• Your application's source code (other than what is required to parse manifests in source code mode).

• Your customer data or production traffic.

• Your secrets, credentials, or environment variables.

• Anything outside the dependency graph.

The only data Seal retains about your environment is the discovered-package list and what you create in the platform (Sealing Rules, Scanner Exclusions, and so on).