Argus Lens · Privacy Policy

Privacy Policy

Last updated: 2026-05-28

Short version: Argus Lens does not collect, store, or transmit any personal data. All analysis runs locally in your browser. The optional GitHub token, when provided, is stored only on your device.

What Argus Lens is

Argus Lens is a static malware scanner for public GitHub repositories. It ships as a web application at lens.noctis.biz, a Chrome extension, and a VS Code extension. All three share the same analysis engine, which runs entirely on the user's device.

What data we collect about you

None.

No accounts. No sign-in.
No analytics, no tracking pixels, no third-party scripts.
No cookies set by us.
No server-side logs of repositories you scan, queries you make, or pages you visit.

What stays in your browser

The optional GitHub personal access token you can paste to raise the GitHub API rate limit is stored only in your browser:

Web app at lens.noctis.biz: stored in localStorage under the key repo-scanner.gh-token.
Chrome extension: stored in chrome.storage.local under the key argusLens.githubToken.
VS Code extension: not used (the local-file scanner does not query GitHub).

The token is sent only to api.github.com and raw.githubusercontent.com on your behalf when fetching repository data. It never reaches any Noctis server. To remove it, clear the relevant storage in your browser settings.

External services Argus Lens calls

To perform static analysis, the extension and web app fetch read-only data from three public services:

api.github.com — the GitHub REST API, to list the file tree of the target repository.
raw.githubusercontent.com — to fetch individual source files (package.json, lockfiles, build configs, source code) for pattern matching.
registry.npmjs.org — to fetch npm package metadata and tarballs of suspicious dependencies, for supply-chain attack detection.

Each of these services has its own privacy policy. Argus Lens does not control those services and does not share your data with them beyond the public API requests required to fetch the content you are scanning.

What Argus Lens does NOT do

Does not clone, install, or execute any repository.
Does not read the content of other browser tabs.
Does not send the repository URLs you scan, or the results, to any server we operate.
Does not sell, share, or transmit user data to third parties.
Does not display ads.

Fonts

The web app loads typefaces (Playfair Display, JetBrains Mono) from Google Fonts. Google may log the requesting IP for cache purposes — see their privacy policy. The Chrome and VS Code extensions do not load remote fonts during scanning.

Children

Argus Lens is a developer tool and is not directed at children under 13. We do not knowingly collect data from anyone.

Changes to this policy

If this policy changes, the updated text will appear on this page with a new "Last updated" date. There is no mailing list to notify because we do not collect your email.

Contact

Questions or concerns: pavel@noctis.biz.