DEV.co
Open-Source Security · Privado-Inc

privado

Privado is an open-source static code analysis tool that detects how sensitive data flows through your codebase, identifies security vulnerabilities, and generates compliance reports for platforms like Google Play Store. It runs locally, supports Java and Python in production, and helps teams map data processing for GDPR and privacy audits.

Source: GitHub — github.com/Privado-Inc/privado
650
GitHub stars
75
Forks
Python
Primary language
LGPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryPrivado-Inc/privado
OwnerPrivado-Inc
Primary languagePython
LicenseLGPL-3.0 — OSI-approved
Stars650
Forks75
Open issues34
Latest releasev1.3.91 (2025-11-10)
Last updated2025-11-10
Sourcehttps://github.com/Privado-Inc/privado

What privado is

Privado performs static analysis by building a knowledge graph of data flows from collection points to sinks (third-party APIs, databases, logs). It detects 110+ personal data elements and their movement across code, generating JSON reports that can be visualized on an optional cloud dashboard (no code uploaded). CLI-based, Docker-containerized, integrates into CI/CD pipelines.

Quickstart

Get the privado source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/Privado-Inc/privado.gitcd privado# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Android Data Safety Compliance

Pre-fill Play Store Data Safety Reports by automatically detecting data collection and sharing patterns, reducing manual effort and accuracy risks when publishing apps.

GDPR/CCPA Audit & Records of Processing Activity

Generate Data Maps and RoPA (Article 30) reports to demonstrate data processing activities to regulators and DPOs without manual code review and documentation overhead.

Continuous Privacy-by-Design Monitoring

Embed in CI/CD to detect unaccounted third-party data sharing, insecure storage patterns, and data leaks early, enforcing privacy policies across development lifecycles.

Implementation considerations

  • Installation via bash script + Docker dependency; ensure Docker runtime is available in CI/CD and development environments.
  • Java and Python support is mature; expect to test thoroughly if codebase uses frameworks or SDKs with implicit data flows not evident in source syntax.
  • Results stored as JSON at `<source>/.privado/privado.json`; integrate JSON parsing into existing reporting or compliance workflows.
  • Optional cloud sync requires account creation and network connectivity; configure CI/CD credentials and network policies if syncing results.
  • Knowledge graph approach may require tuning on large or unfamiliar codebases; review initial findings and false-positives carefully.

When to avoid it — and what to weigh

  • Polyglot Codebases (Enterprise Languages) — Currently GA only for Java and Python; JavaScript/TypeScript support is in-progress. Enterprise-only support for other languages (Go, C#, Rust, etc.) requires commercial license.
  • Need Real-Time or Runtime Data Flow Analysis — Static analysis cannot detect dynamic data flows at runtime, obfuscated code, or data flows through external libraries not reflected in source code.
  • Minimal Infrastructure or Air-Gapped Environments — Requires Docker and local compute resources; cloud dashboard sync is optional but recommended for report generation and visualization.
  • Non-Compliance-Driven Use Cases — Tool is purpose-built for privacy/compliance scanning. If your primary need is general-purpose code security (e.g., SAST for SQL injection, XSS), consider broader SAST tools.

License & commercial use

Licensed under LGPL-3.0 (GNU Lesser General Public License v3.0). This is a copyleft open-source license that permits use, modification, and distribution, but requires that derivative works and modifications also be distributed under LGPL-3.0 or compatible terms. Linking or integrating Privado into proprietary software requires careful legal review.

LGPL-3.0 permits commercial use of the tool itself (e.g., running scans on internal code). However, redistributing modified versions or integrating the tool as a library into proprietary products requires those derivatives to be LGPL-3.0 compatible. Commercial enterprise support, advanced language support, and closed-source plugins are available from Privado Inc. per business offerings; requires review with Privado for clarification on licensing for proprietary integrations.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Local scanning (code stays on your machine) reduces exfiltration risk. Optional cloud sync transmits only JSON output (not source code), per documentation. No security audit, penetration test, or vulnerability disclosure statement provided in available data. Relies on Python/Docker security; Privado team's security practices are unknown. Recommend: validate with Privado's security posture before using on highly sensitive codebases.

Alternatives to consider

Snyk Code / Snyk AppSec

Commercial SaaS SAST with data flow analysis; supports more languages out-of-box but requires cloud submission and vendor lock-in.

Semgrep (OSS edition)

Open-source SAST with custom rule writing; broader language support and more mature ecosystem, but not purpose-built for privacy/data-flow compliance.

Fortify Static Code Analyzer (FSA)

Enterprise-grade SAST with strong data-flow and compliance reporting (GDPR, HIPAA); proprietary, expensive, more complex deployment.

Software development agency

Build on privado with DEV.co software developers

Test Privado on a sample Java or Python repository. Run `privado scan` locally, review JSON output, and explore the free cloud dashboard. Contact Privado Inc. to discuss LGPL-3.0 licensing, enterprise language support, or integration into your CI/CD pipeline.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

privado FAQ

Does my code get sent to Privado's cloud?
No. Scanning is local; only the JSON results are optionally synced to Privado Cloud for visualization and RoPA report generation, if you choose to create an account.
What programming languages are supported?
Java and Python are GA (production-ready). JavaScript/TypeScript support is in-progress for OSS. Enterprise licenses cover additional languages; contact Privado for availability.
Can I integrate Privado into CI/CD?
Yes. The CLI is designed for CI/CD; use `privado scan <directory>` in your pipeline. Results are written to JSON; parsing and reporting integration is your responsibility or handled via cloud sync.
Is commercial use allowed under LGPL-3.0?
Using the tool to scan your own code commercially is permitted. Redistributing modified versions or embedding Privado into proprietary products requires LGPL-3.0 compliance review; contact Privado Inc. for clarification.

Software developers & web developers for hire

From first prototype to production, DEV.co delivers software development services around tools like privado. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.

Evaluate Privado for Your Compliance & Privacy Audits

Test Privado on a sample Java or Python repository. Run `privado scan` locally, review JSON output, and explore the free cloud dashboard. Contact Privado Inc. to discuss LGPL-3.0 licensing, enterprise language support, or integration into your CI/CD pipeline.