Monitoring Policy

What we scan

Stackshield scans the top 500 Laravel open source projects on GitHub, ranked by a combination of stars, Packagist downloads, and ecosystem significance. We run 40 framework-aware security checks covering code patterns, route configuration, environment settings, filesystem exposure, and dependencies.

What's public

• A-list: Projects that score A-grade are listed publicly. Sorted alphabetically, no numeric scores.
• Scanned directory: All scanned repos are listed by name. No scores, no findings, no grades for non-A projects.
• Ecosystem stats: Aggregate numbers across all scanned repos. No individual project is ever named.

What's private

Full findings, severity breakdowns, file locations, and remediation guidance are only visible to verified maintainers who claim their repo via GitHub OAuth. We never display B/C/D grades publicly.

How to opt out

Two mechanisms, both honored unconditionally:

1. stackshield.yaml (recommended)

Add a stackshield.yaml file to your repository root:

# stackshield.yaml
monitoring:
  indexed: false      # remove from public scanned directory
  a_list: false       # do not include in A-list even if eligible
  scanning: false     # do not scan at all

Settings are checked on every scan cycle and respected immediately. Set any combination of these flags to control your visibility.

2. Manual removal

Email monitoring@stackshield.io with your repository name. Requests are honored within 24 hours, permanently, with no verification beyond a plausible maintainer claim.

Data retention

We store scan results for historical comparison. Cloned repositories are deleted immediately after scanning. When a maintainer opts out, all scan data is deleted within 24 hours.

Questions?

Reach out at monitoring@stackshield.io. We're committed to making this process transparent and respectful of maintainer preferences.