We practice what we preach.
SecuGo is a security tool — so its own security posture is something we take seriously. Here is exactly how we handle your data, your tokens, and your repositories.
We never ask for your GitHub password. Authentication is handled entirely through GitHub's official OAuth flow. You can revoke SecuGo's access from your GitHub settings at any time.
SecuGo requests read-only scopes (read:user, user:email, read:org, repo). We fetch file contents to scan them — we never push, write, or modify anything in your repositories.
Your GitHub access token is never exposed to the browser or sent in request bodies. It is read exclusively from your encrypted Supabase session on the server, keeping it out of logs and client memory.
Scan results and vulnerability findings are stored in Supabase Postgres with row-level security (RLS). Your data is scoped to your user ID — no other user can query your findings.
Every API endpoint verifies that the requested resource belongs to the authenticated user before returning data. Repository IDs and scan IDs are cross-checked against your user ID server-side.
SecuGo does not store your GitHub token persistently. Tokens live only in your Supabase session and expire when you sign out. Rotate your GitHub OAuth token at any time by signing out and back in.