Security & Privacy

When you sign in with GitHub, RepoGuard requests the following OAuth scopes:

• read:user — your GitHub username and avatar
• user:email — your public email
• repo — read access to your repositories, including private ones

We use repo because scanning private code requires it. We never write, modify, or push to any repository. Reducing this scope to read-only-only is on our roadmap.

After each scan, we persist only metadata and findings:

• Repository name (owner/repo)
• Scan timestamp and duration
• File paths and line numbers where secrets were detected
• Masked previews of matched secrets (never the full value)
• Vulnerable package names and advisory IDs

• Your source code
• Full values of detected secrets (only masked previews)
• Your GitHub access token (we keep a short-lived session only)
• Any data from repositories you haven't explicitly scanned

Files are fetched from the GitHub API during a scan and discarded immediately after the scan completes.

Scan metadata is stored in a Postgres database hosted on Supabase (EU region). The application runs on Vercel. Both providers are SOC 2 compliant.

RepoGuard is open source. You can audit the entire codebase, including how we handle your token and data: github.com/silviooerudon/repoguard

You can revoke RepoGuard's access at any time:

1. Go to GitHub → Settings → Applications
2. Find RepoGuard and click Revoke

This immediately invalidates our access to your repositories.

Found a vulnerability or have a concern? Contact Silvio directly on LinkedIn or open an issue on GitHub.