Piiano Scanner

Privacy intelligence for code

Gain visibility of sensitive data inside the source code.

At the moment, we support scanning of
Java, Python, TypeScript and JavaScript repositories

Piiano Scanner screenshot

Evolve from manual string searching to automated, AI-powered PII discovery

Connect your GitHub
repository in a click

Piiano Scanner analyzes your code
and seeks out privacy artifacts

Receive your results within
minutes and gain insights

Accelerate collaboration between engineering, security and privacy teams

Supported findings

PII references by file and line of code

Extra details about the finding

  • PII category 
  • Sensitivity level
  • Class name
  • Developer’s name

PII leaks in error logs

APIs used in the code

At the moment, we support scanning of Java, Python, TypeScript and JavaScript repositories

Piiano Scanner FAQ

Getting started

Before scanning your own repository, you can take a look at public repositories that we pre-scanned and get a closer look at our product and the value it provides. Alternatively, just hit the “New Scan” button, enter your GitHub repo’s URL, and click “Add Scan.”

  1. We support scanning both public and private GIT repositories.
  2. Support for public GIT repositories is limited (for security reasons) to the following list. If you need an additional repository, please contact us, and we will happily add it.
    1. GitHub (github.com)
    2. GitLab (gitlab.com)
    3. BitBucket (bitbucket.org)
    4. AWS Code commit (git-codecommit.<region>.amazonaws.com)
    5. Source forge (git.code.sf.net)
    6. Microsoft Azure GIT (dev.azure.com)
    7. Assembla (git.assembla.com)
  3. We support private GitHub repositories too. To work with private GitHub repositories, you will be asked to approve our access. We do not support private repositories from non-GitHub vendors (such as the ones listed above).

Please note that access to a private organizational repository will require the approval of an organization owner. To request approval, click the “Request” button on the app authorization page:

authorize Piiano for accessing GitHub

  • We do not support uploading code to the Scanner.


It usually takes a few minutes to scan regular repositories and up to 15 minutes or more to scan larger repositories.

If you scan a big project, it might take a while longer. However, if there are no results or you suspect an error, we appreciate it if you would report a bug, and we will investigate it. Make sure your selected repository’s code is written in the supported programming languages.

We support scanning Java, Python, TypeScript and JavaScript projects. In the future, additional languages will be added. If you want us to support an additional language, please send us a message using our contact us page.

Our technology relies on static code analysis algorithms and innovative NLP AI algorithms.

Sharing the scanning result and local scanning

Piiano Scanner also supports running offline without sharing your code with us. In this case, it runs as a standalone docker container and can be deployed anywhere easily. Contact us to discuss pricing and terms.

Sure. On the “All Scans” page, click the three dots next to the “View Scan” button of the scan you want to share, and then click the “Share” option. Copy the URL and share it via email, Slack, or any other medium. Sharing the scanning results will not share your entire source code, only code fragments around the findings.

What is Piiano Scanner, and why should I use it?

A privacy code scanner is a tool that statically analyzes and scans your source code to identify references to and usages of sensitive data. It is helpful in order to get visibility (sensitive data posture) into privacy violations and track relevant code changes over time.

Piiano Scanner lets you find references to PII and other customers’ sensitive data in your source code in minutes instead of weeks of manual work. Knowing which sensitive data types your application collects is necessary for the following tasks:

  1. You want to improve the security of sensitive data, and you aren’t 100% sure which customers’ sensitive data your application collects.
    You’re building a data catalog, and you want to quickly identify all the customers’ sensitive data that your application collects.
  2. You’re conducting a PIA (Privacy Impact Assessment) or DPIA (Data Protection Impact Assessment), and you want to identify customers’ sensitive data within your source code to understand the risk and mitigate it.

Piiano Scanner will provide you:

  1. A list of customers’ sensitive data types (PII/PCI/PHI) that the application collects, together with the sensitivity level for each type; e.g., it will identify the collection and usage of names, addresses, emails, bank account numbers, passwords, phone numbers, SSNs, credit card numbers, and many more.
  2. For each type of sensitive customer data, it will show you its declaration (class member) and all its usages within your code, together with code snippets and links to your GIT. Knowing which sensitive data the application collects is the first step towards hardening security and privacy. This can be achieved using Piiano Vault.
  3. A list of log leaks. Log leaks are lines of code where the application writes sensitive data to external logs. This creates an exposure risk for your clients and your company and should be avoided. Not to mention that it violates privacy compliance, where you should be able to control all sensitive data. You can use these insights to make sure that the log level that is used is “debug” and not production, or remove/obfuscate identifiers before they’re logged.
  4. A list of 3rd-party API calls that will help you ensure that sensitive data is shared only with companies that are compliant with relevant privacy regulations, such as GDPR and CCPA, and that customers’ consent is honored in the relevant cases in the code.

Piiano PII Scanner can speed up both PIA (Privacy Impact Assessment) and DPIA (Data Protection Impact Assessment) processes by:

  1. Identifying which PII types your organization collects.​
  2. Ensuring the collection of necessary PIIs is in line with your stated policy.
  3. Identifying with which 3rd party vendors you share PIIs and verifying their compliance.

Once the Piiano Scanner provides visibility into the risk that comes with the liability of collecting PIIs, you can start protecting this data with our vault. The Piiano Vault provides the ability to securely store the collected PIIs and simplify the compliance implementation for this data.

Data catalogs help data users make better-informed decisions about their organization’s data usage, detailing what data types are stored, where they are, how they are kept and who has access to them, among other things. Data catalog software typically includes a data discovery tool and a data classification tool which require access to production environments.

The Piiano Scanner complements classical data discovery through scanning code by:

  1. Supplementing existing data catalogs as a primary code discovery tool that focuses on
    sensitive customer data, such as PII, PHI, and PCI.
  2. Jump-starting an organization’s entire understanding of sensitive customer data usage and
    privacy posture.

The Piiano Scanner allows you to perform PII discovery in minutes, using only a connection to your GitHub repo.

Pricing and limitations

Piiano Scanner is currently completely free.

  1. Every user can issue a single scan at a time. An existing scan must be completed or canceled to issue a new one.
  2. Every user can create up to 10 scans a week. It could be either for different repositories or multiple scans for the same repository (useful when the code has changed).

Contact us if you require multiple scans in parallel or additional scans per week.

Your scan results will be saved for 30 days. After this time, they will be deleted automatically. If needed, you can rescan your repository.

Security and data usage

  1. First and foremost – we use it to provide you with the report.
  2. Every time you scan your repository, we fetch the code by git-cloning it, scanning it, and immediately deleting it.
  3. We only keep some code fragments to improve our product and service. These are what you see when you expand the findings (in the scan’s table) to see a few lines of source code related to each sensitive data. This is never shared with anyone and is used to improve and diagnose our systems.

No. Never. Your code will always belong to you. We never share it in any way or sell it. Our business model is based on a free tier, license, and usage payments. Your email address will be only used to send you product-related emails, and you can unsubscribe if you want.

  1. We incorporated a whole SSDLC paradigm to develop this tool; therefore, we have a strict security-by-design model. Each scan happens inside an isolated container, always disconnected from other customers’ data. We already have an external contractor doing pentest for this tool, and we’re good. SOC2 is something that we’ve been actively working on for a while now and it will be official soon.
  2. We actively monitor our systems for security and general issues.
  3. In previous roles, Piiano’s founding team was responsible for the SSDLC and oversaw 700 engineers. We live and breathe security.
  4. If you find security bugs, please email us at security@piiano.com. We give small awards to legit vulnerability reports.

We are a recognized team of cybersecurity experts. We love privacy and security and do our best to help companies out there know and protect their sensitive data 10x better. We’re proudly backed by one of the most notable Israeli cybersecurity VCs, YL Ventures. You can read more about us here. We’re based in Tel Aviv, Israel.

  1. The access tokens are valid for only 8 hours.
  2. If you disable your account, we will delete these keys immediately.

Need help or have a suggestion

We’re happy that you care so much about helping us improve our product. Please contact us. We promise to answer!

Get instant visibility into the security and privacy code posture of sensitive customer data.

At the moment, we support scanning of Java, Python, TypeScript and JavaScript repositories