Read-only model
VinTekh is read-only by construction. We never modify your cloud resources — only observe, reason, and recommend. This is not a setting; it's an architectural invariant enforced at multiple layers.
What "read-only" means in practice
- The Python discovery worker has zero write SDK imports. A CI guard (
scripts/no-write-sdk-check.sh) greps the worker + web codebase for forbidden API verbs and fails the build if any are found. - Forbidden verbs include: Azure
begin_create_or_update,begin_delete,begin_update; AWScreate_role,delete_role,put_role_policy,delete_security_group; GCPdelete(name=),patch(name=); K8screate_namespaced_*,delete_namespaced_*,patch_namespaced_*; plus generic dangers likesubprocess.run(shell=True). - The Azure credential we ask for is Reader at the chosen scope and nothing else. If you grant Contributor by mistake, we still can't write — the code paths don't exist.
- Recommendations are advisory. The handoff buttons (Slack, ServiceNow) push text to those systems — they don't execute the recommendation. Execution stays with your change-management process.
Why this matters
Every "auto-remediation" platform has a horror story: a rule misfires at 3am and disables prod auth, or detaches the wrong NSG, or rotates a key in use. The blast radius of a wrong write is unbounded; the blast radius of a wrong read is zero.
We picked the smaller blast radius. We will never add a "write mode" — if you want SOAR-style execution, integrate VinTekh recommendations into your own change pipeline (ServiceNow, Backstage, Jenkins, ArgoCD). The handoff buttons exist for exactly that.
What this means for our category positioning
We will never market ourselves as SOAR. We'll always be the advisory tier. See Platform capabilities for the full taxonomy with honest roles per category.
Verifying our claim
If you want to audit the read-only claim yourself:
- Clone the repo. Run
bash scripts/no-write-sdk-check.sh— should print "✓ no write-SDK calls detected". - Inspect the Azure SP role assignment — should be exactly Reader at the scope you assigned.
- Watch Activity Log on the subscription while VinTekh syncs — every API call is a read (GET / list / describe). Zero writes.
- Help home
- Getting started
- How VinTekh works
- Read-only model
- Connect a source
- Azure Reader SP
- AWS cross-account role
- GCP Workload Identity
- External ID & MAU
- SCIM 2.0 provisioning
- Investigate a finding
- Recommendations
- Service coverage
- Platform capabilities
- Troubleshooting
- Glossary
- REST API
- Admin guide
- Release notes
- Support