Security & Privacy
What RepoGuard accesses, stores, and protects. Plain language, no legal jargon.
What we access
RepoGuard is authenticated through the RepoGuard Security GitHub App (not a legacy OAuth App). When you sign in, RepoGuard reads:
- Your GitHub username, avatar, and public email — for the session
- Your public repositories — to list them on the dashboard
- Public file contents of a repository — only during a scan you trigger
We do not read private repositories. Private-repo support is on the roadmap; today, signing in scans public code only.
For the optional auto-fix PR feature, you install the RepoGuard Security GitHub App on the target repository. That install grants the App Contents: write and Pull requests: write scoped to that repo only, so we can push a branch and open a PR for your review. Without an install, RepoGuard cannot write to a repo.
What we store
After each scan, we persist only metadata and findings:
- Repository name (owner/repo)
- Scan timestamp and duration
- File paths and line numbers where secrets were detected
- Masked previews of matched secrets (never the full value)
- Vulnerable package names and advisory IDs
What we never store
- Your source code
- Full values of detected secrets (only masked previews)
- Your GitHub access token (we keep a short-lived session only)
- Any data from repositories you haven't explicitly scanned
Files are fetched from the GitHub API during a scan and discarded immediately after the scan completes.
Where your data lives
Scan metadata is stored in a Postgres database hosted on Supabase (EU region). The application runs on Vercel. Both providers are SOC 2 compliant.
Source code
RepoGuard is open source. You can audit the entire codebase, including how we handle your token and data: github.com/silviooerudon/repoguard
Revoking access
You can revoke RepoGuard's access at any time:
- Revoke sign-in: GitHub → Settings → Applications → Authorized GitHub Apps → find RepoGuard Security → Revoke.
- Uninstall auto-fix: GitHub → Settings → Applications → Installed GitHub Apps → find RepoGuard Security → Uninstall (or remove individual repos).
Revocation is immediate. Any tokens already minted expire within an hour.
Reporting security issues
Found a vulnerability or have a concern? Contact Silvio directly on LinkedIn or open an issue on GitHub.
Last updated: May 2026. This page is maintained honestly. If anything here becomes outdated or inaccurate, please report it.