Note: This repository is a copy of v1.x releases of Privado Data Safety Generator (earlier, Privado) and is archived in favor of complete overhaul of Privado CLI (v2.0). Privado v2.0 introduces dataflows with a wide array of detections and use-cases. The equivalent GoLang interface has now been moved Privado CLI, and the new scan engine is open-sourced and available at Privado Core.

The project is stable and users may choose to continue using this tool for datasafety report generation. However, this is not under active development and requested features may not be implemented.

Privado User Documentation

What is Privado?

Privado is a static code scanning tool to find, fix and remediate privacy issues in your products & applications. Our scan discovers what personal data(as defined by GDPR, other laws) your app is processing, third-party integrations, data flows. With our scan results, we generate privacy reports for your apps as mandated by laws like GDPR or platforms like Apple and keep them in sync with code changes.

What does our scan discover?

1. Data Elements: These are personal data that your app is collecting, sharing, processing. Here is a list of data elements that we are discovering.
2. Third-Parties: Any third-party integrations inside your code, via APIs or SDKs/libraries.
3. APIs: We also discover any internal APIs that your app is connected with.
4. Datastores(not released yet, still beta): Identify the databases where you are sourcing the data from or sending the data.
5. Privacy Vulnerabilities(not released yet, still beta): Code issues that exist which can lead to privacy vulnerabilities

What can I do with Privado?

Generate Play Store Data Safety Report

This is the first use case that we are live with. Currently, to fill the data safety form Android developers have to ask around in the team to find what data they are collecting, spend hours reading the documentation of SDKs to find data shared, and navigate the complex Playstore form. With our scan, we pre-fill data types collected, shared, and guide you with our wizard to generate the data safety report. This is how it works:

• It's a CLI tool that does a static scan of your android app's code to find data types collected, SDKs
• We look at Android permissions, user forms to detect Android Data Type. For the third party, we find relevant SDKs, Libraries & API calls
• Guided workflow to help you fill the rest of the data safety form
• Generates a CSV that you can import to Play Console
• Scan runs locally, no code ever leaves your machine.

Privacy Audits

Privacy Engineers can use our CLI tool as an MRI for products, applications and find out privacy risks. With our scans, privacy engineers save the time they have to spend chasing engineers with assessments and can directly start prescribing privacy controls for data minimization, sharing, etc.

We have the following use cases on our Roadmap:

1. Generating Apple Nutrition Label Report
2. Generating privacy compliance reports like GDPR Article 30 or RoPA report
3. Detecting Privacy Vulnerabilities in current code implementation
4. Privacy Policy Generator

Prerequisite - Docker

To start off, make sure docker is installed. To install docker, you can follow the steps stated in the official documentation. Linux users should also follow docker post installation steps in order to run Privado CLI without root (sudo) privileges.

Installation

You can install Privado CLI in multiple manners:

• Using curl
• Using go
• Using releases
• Build locally

Install using curl:

The installation script will download and setup the latest stable release for you as per your OS and arch. Run:

curl -o- https://raw.githubusercontent.com/Privado-Inc/privado-datasafety/main/install.sh | bash

To uninstall, simply delete ~/.privado/bin.

Install using Go

If you are a GoLang fan, you can use the go install command to install the Privado CLI:

go install github.com/Privado-Inc/privado-datasafety@latest

This will place the privado binary in your GOPATH's bin directory. This directory must be added to the $PATH environment variable. You can learn more here.

Install Release Manually

We use GitHub Releases to ship versioned privado releases for supported platforms. You can download a executable of Privado CLI for your platform.

To know your architecture, you can run:

$ uname -m

For detailed platform-specific instructions to setup privado, refer below:

MacOSX

ARM64 (M1 Chip)

To setup privado for macOS (arm64) i.e. Macbook with M1 chip, download privado-darwin-arm64.tar.gz from the latest release.

Navigate to the download directory and run:

$ tar -xf ~/.privado/privado-darwin-arm64.tar.gz
$ chmod +x privado
$ mv privado /usr/local/bin/

AMD64 (Intel Chip)

To setup privado for macOS (amd64), download privado-darwin-amd64.tar.gz from the latest release.

Navigate to the download directory and run:

$ tar -xf ~/.privado/privado-darwin-amd64.tar.gz
$ chmod +x privado
$ mv privado /usr/local/bin/

Linux

To setup privado on your linux system, download the respective zip from latest release for your platform. Navigate to the download directory and run the following commands:

ARM64

$ tar -xf ~/.privado/privado-linux-arm64.tar.gz
$ chmod +x privado
$ mv privado /usr/bin/privado

AMD64

$ tar -xf ~/.privado/privado-linux-amd64.tar.gz
$ chmod +x privado
$ mv privado /usr/bin/privado

Windows

To setup privado on your windows system, download privado-windows-amd64.zip from latest release. Navigate to the download directory and run the following bash commands:

$ mkdir -p $HOME/.privado/bin
$ unzip -o privado-windows-amd64.zip -d $HOME/.privado/bin
$ chmod +x $HOME/.privado/bin/privado
$ echo "export PATH=\$PATH:$HOME/.privado/bin" >> $HOME/.bashrc

Open a new session or source profile for effects to take place in the same session:

$ source $HOME/.bashrc

When using WSL, we recommend moving the binary to /usr/bin instead for optimal experience across users. Refer to steps for Linux for more information.

Build Privado CLI Locally

If you do not wish to use the pre-built binaries shipped in releases, you can choose to build Privado CLI locally. To do this, make sure that GoLang is installed and follow the following steps:

1. Clone the repository: git clone https://github.com/Privado-Inc/privado-datasafety/.git
2. Change directory: cd privado
3. Skip this step if you intend to build the main branch.
   To build the latest stable release, checkout the latest tag: git checkout latest
4. Build with Go: go build
5. You can now run ./privado.

For convenience, we recommend moving privado to a $PATH directory. You can refer to manual installation steps for more details.

Authenticating

Privado CLI requires a license key to run scans. To generate a license, run the following command:

privado auth <[email protected]>

A copy of the license will be emailed to you.

To authenticate and bootstrap the app using the generated license, run:

privado bootstrap </path/to/privado-license.json>

and done! You are all set to scan your projects and generate compliance reports.

Please note that generated licenses are valid for 1 year from the date of issue.
For more information about licensing, feel free to get in touch with us on Slack or Email.

Running a Scan

Privado CLI works on the client-end and does not share any files, code-snippets, results, or reports during the complete lifecycle.

To scan a repository, simply run:

privado scan <path/to/repository>

Depending on repository size and system configuration, time to scan can vary. Post completion, the results can be viewed on localhost:3000.

To use a different port, simply use the -p (or --port) flag:

privado scan <path/to/repository> -p 5001

Results and reports (if generated), are saved to repository/.privado. We encourage keeping .privado folder as a part of your repository to facilitate report collaboration and share privacy discovery.

Loading Results

At any point in time, you can directly load the existing results without running the entire scan and continue to generate or modify reports:

privado load <path/to/repository>

This is also helpful for huge codebases and projects with multiple collaborators.

Command Reference

The section contains detailed reference to privado commands.

Privado CLI Global Flags

Flag	Description
-h, --help	Help about any command, or sub-command
-l, --license <string>	The license file to be used. Overrides the default bootstrapped license (default "/Users/ojaswa/.privado/license.json")

Privado CLI Commands

Command	Description	Usage	Supported Flags
auth	Generate license for Privado	privado auth	-
bootstrap	Authenticates Privado using the requested license and generates required configurations	privado bootstrap [flags]	--overwrite: Overwrites the existing license fil (if any)
completion	Generate the autocompletion script for privado for the specified shell. See each sub-command's help for details on how to use the generated script.	privado completion [command]	-
help	Help about any command	privado help [command]	-
scan	Scan a codebase or repository to identify privacy issues and generate compliance reports	privado scan [flags]	-o, --overwrite: If specified, the warning prompt for existing scan results is disabled and any existing results are overwritten -p, --port : The port t be used to render HTML results (default 3000) --debug: To enable underlying process output for debugging purposes
load	Load a scanned codebase or repository and continue generating compliance reports. It skips privacy scan and loads the results present in the target repository (.privado directory)	privado load [flags]	-p, --port : The port t be used to render HTML results (default 3000) --debug : To enable underlying process output for debugging purposes

What does it cost?

Privado is free for:

1. Open Source Projects
2. For individual developers and small teams.

How Privado CLI handles your data?

Privado CLI tool was engineered with security in mind. Our tool runs the scan locally on your machine and your code never leaves your system.