privado
Privado is an open-source static code analysis tool that detects how sensitive data flows through your codebase, identifies security vulnerabilities, and generates compliance reports for platforms like Google Play Store. It runs locally, supports Java and Python in production, and helps teams map data processing for GDPR and privacy audits.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | Privado-Inc/privado |
| Owner | Privado-Inc |
| Primary language | Python |
| License | LGPL-3.0 — OSI-approved |
| Stars | 650 |
| Forks | 75 |
| Open issues | 34 |
| Latest release | v1.3.91 (2025-11-10) |
| Last updated | 2025-11-10 |
| Source | https://github.com/Privado-Inc/privado |
What privado is
Privado performs static analysis by building a knowledge graph of data flows from collection points to sinks (third-party APIs, databases, logs). It detects 110+ personal data elements and their movement across code, generating JSON reports that can be visualized on an optional cloud dashboard (no code uploaded). CLI-based, Docker-containerized, integrates into CI/CD pipelines.
Get the privado source
Clone the repository and explore it locally.
git clone https://github.com/Privado-Inc/privado.gitcd privado# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Installation via bash script + Docker dependency; ensure Docker runtime is available in CI/CD and development environments.
- Java and Python support is mature; expect to test thoroughly if codebase uses frameworks or SDKs with implicit data flows not evident in source syntax.
- Results stored as JSON at `<source>/.privado/privado.json`; integrate JSON parsing into existing reporting or compliance workflows.
- Optional cloud sync requires account creation and network connectivity; configure CI/CD credentials and network policies if syncing results.
- Knowledge graph approach may require tuning on large or unfamiliar codebases; review initial findings and false-positives carefully.
When to avoid it — and what to weigh
- Polyglot Codebases (Enterprise Languages) — Currently GA only for Java and Python; JavaScript/TypeScript support is in-progress. Enterprise-only support for other languages (Go, C#, Rust, etc.) requires commercial license.
- Need Real-Time or Runtime Data Flow Analysis — Static analysis cannot detect dynamic data flows at runtime, obfuscated code, or data flows through external libraries not reflected in source code.
- Minimal Infrastructure or Air-Gapped Environments — Requires Docker and local compute resources; cloud dashboard sync is optional but recommended for report generation and visualization.
- Non-Compliance-Driven Use Cases — Tool is purpose-built for privacy/compliance scanning. If your primary need is general-purpose code security (e.g., SAST for SQL injection, XSS), consider broader SAST tools.
License & commercial use
Licensed under LGPL-3.0 (GNU Lesser General Public License v3.0). This is a copyleft open-source license that permits use, modification, and distribution, but requires that derivative works and modifications also be distributed under LGPL-3.0 or compatible terms. Linking or integrating Privado into proprietary software requires careful legal review.
LGPL-3.0 permits commercial use of the tool itself (e.g., running scans on internal code). However, redistributing modified versions or integrating the tool as a library into proprietary products requires those derivatives to be LGPL-3.0 compatible. Commercial enterprise support, advanced language support, and closed-source plugins are available from Privado Inc. per business offerings; requires review with Privado for clarification on licensing for proprietary integrations.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Local scanning (code stays on your machine) reduces exfiltration risk. Optional cloud sync transmits only JSON output (not source code), per documentation. No security audit, penetration test, or vulnerability disclosure statement provided in available data. Relies on Python/Docker security; Privado team's security practices are unknown. Recommend: validate with Privado's security posture before using on highly sensitive codebases.
Alternatives to consider
Snyk Code / Snyk AppSec
Commercial SaaS SAST with data flow analysis; supports more languages out-of-box but requires cloud submission and vendor lock-in.
Semgrep (OSS edition)
Open-source SAST with custom rule writing; broader language support and more mature ecosystem, but not purpose-built for privacy/data-flow compliance.
Fortify Static Code Analyzer (FSA)
Enterprise-grade SAST with strong data-flow and compliance reporting (GDPR, HIPAA); proprietary, expensive, more complex deployment.
Build on privado with DEV.co software developers
Test Privado on a sample Java or Python repository. Run `privado scan` locally, review JSON output, and explore the free cloud dashboard. Contact Privado Inc. to discuss LGPL-3.0 licensing, enterprise language support, or integration into your CI/CD pipeline.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
privado FAQ
Does my code get sent to Privado's cloud?
What programming languages are supported?
Can I integrate Privado into CI/CD?
Is commercial use allowed under LGPL-3.0?
Software developers & web developers for hire
From first prototype to production, DEV.co delivers software development services around tools like privado. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.
Evaluate Privado for Your Compliance & Privacy Audits
Test Privado on a sample Java or Python repository. Run `privado scan` locally, review JSON output, and explore the free cloud dashboard. Contact Privado Inc. to discuss LGPL-3.0 licensing, enterprise language support, or integration into your CI/CD pipeline.