developer.mend.io and private repos: security considerations

[arseny-zinchenko]

What would you like help with?

Other

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

No response

Please tell us more about your question or problem

Hi.
I'm just started using Renovate in our GitHub org, and a bit concerned about the security: am I right, that it clones the code to the developer.mend.io?
If so, what about private code in private repositories, which must not be shared anywhere?
I tried to find a way to disable the developer.mend.io at all, but can't see such an option.

Logs (if relevant)

Logs

Replace this text with your logs, between the starting and ending triple backticks

[rarkins]

Renovate needs to clone code in order to scan it for dependencies. Code is deleted at the end of every run and not stored persistently. If you don't trust Mend to do that, you can self host Renovate.

[HonkingGoose]

@arseny-zinchenko you will want to read the Renovate docs, Security and Permissions as well.