Why GitHub Apps?

GitHub App vs Traditional OAuth

We chose GitHub Apps over traditional OAuth for significantly better security and user control. Here's why it matters for your code.

Feature	GitHub App (CursorGuard)	Traditional OAuth
Permission Scope	Granular, per-repository selection	Broad access to all repositories
Token Lifetime	1 hour (auto-renewed)	Long-lived (until revoked)
Organization Control	Admins can manage centrally	Individual user grants
Write Access	Read-only by default	Often requires write access
Token Storage	Generated on-demand, never stored	Must be stored securely

How It Works

Connect in 5 Simple Steps

The entire connection process takes less than 60 seconds. Here's exactly what happens.

1

Click Connect GitHub

From your CursorGuard dashboard, click the "Connect GitHub" button to start the integration process.

2

Select Repositories

On GitHub, choose which repositories to grant access. You can select all repos or pick specific ones.

3

Install the App

Confirm the installation. GitHub sends a secure webhook to our API with your installation details.

4

Sync Your Repos

Back in CursorGuard, click "Sync Repos" to import your repository list. This fetches metadata only.

5

Start Scanning

Select any repo and trigger a security scan. Your code is cloned, scanned, and immediately deleted.

Minimal Permissions

Only What We Need, Nothing More

We follow the principle of least privilege. Here's exactly what our GitHub App can and cannot access.

Permissions Granted

Repository Contents Read-only

To clone and scan your code for vulnerabilities

Repository Metadata Read-only

To display repo name, branches, stars, and language

Never Requested

Write Access

We never modify, commit, or push to your repositories

Organization Members

No access to your team members or org structure

Issues & Pull Requests

No access to your issues, PRs, or discussions

Actions & Workflows

No access to your CI/CD workflows or secrets

Token Security

Short-Lived Installation Tokens

Unlike OAuth tokens that live forever, installation tokens expire automatically. Here's how the lifecycle works.

Instant

Generate

When a scan is triggered, our API generates an installation token using our GitHub App credentials (JWT signed with private key).

During scan

Use

The token authenticates API calls to GitHub: cloning repos, listing branches, fetching metadata. Scoped only to your selected repositories.

1 hour max

Expire

Tokens automatically expire after 1 hour. We never store them. If needed again, a fresh token is generated on-demand.

Why This Matters

Even if a token were somehow intercepted, it would expire within an hour and only have access to the specific repositories you selected. This drastically limits the attack surface compared to long-lived OAuth tokens.

Real-Time Events

Webhook Integration

GitHub sends us real-time notifications when important events happen. We verify every webhook cryptographically to prevent spoofing.

HMAC SHA256 signature verification on every webhook

1

GitHub sends webhook with signature header

2

We compute expected signature using our secret

3

Constant-time comparison prevents timing attacks

4

Invalid signatures are immediately rejected

installation.created

Fired when a user installs our GitHub App. We store the installation ID to generate tokens later.

Store installation record

installation.deleted

Fired when a user uninstalls the app. We remove the installation and associated repos from our database.

Clean up installation data

installation.suspend

Fired when an organization admin suspends the installation. We mark it as suspended to prevent scans.

Pause scanning access

push

Fired on every git push. We check if the branch is watched and trigger an automated scan if enabled.

Trigger CI/CD scan

Repository Management

What We Store (And Don't)

When you sync your repositories, we only fetch metadata needed for the dashboard. Your source code is never stored permanently.

Stored in Database

Repository name and URL
Default branch name
GitHub stats (stars, forks, language)
Last scan timestamp
Branch watch settings
Vulnerability findings (metadata only)

Never Stored

Your source code
GitHub access tokens
File contents
Commit history
Environment variables / secrets
Git blame / contributor info

Your Code, Protected

Complete Code Isolation

Every scan runs in a completely isolated environment. Your code never touches our servers permanently and is never accessible to other scans.

Dedicated Docker Containers

Each scan runs in its own isolated Docker container with no access to other scans or system resources.

Temporary Cloning

Your code is cloned to a temporary directory, scanned, and immediately deleted. Nothing persists.

Network Isolation

Containers can only reach GitHub (for cloning) and our AI service (for analysis). No other network access.

Metadata Only Storage

We only store vulnerability metadata: file paths, line numbers, severity. Your actual code is never persisted.

Scan Lifecycle

Clone Temp directory

Scan Semgrep + Trivy + AI

Store Metadata only

Delete Immediately

Automated Security

CI/CD Integration

Set up automatic scanning on every push to your main branch. Perfect for catching vulnerabilities introduced by AI coding assistants like Cursor, Copilot, or Lovable.

Branch Watching

Configure which branch to monitor (e.g., main, develop). Pushes to other branches are ignored.

Cooldown Protection

Set a cooldown period (default 60 min) to prevent scan spam from rapid successive pushes.

Instant Feedback

Vulnerabilities are detected within minutes of pushing, catching issues before they reach production.

CI/CD automation requires Pro subscription

Push Event Flow

git push origin main

Developer pushes code

Webhook Received

Verify signature, check branch watch

Scan Triggered

Clone, analyze, report findings

Results Available

View in dashboard or get notified

Common Questions

Frequently Asked Questions

Everything you need to know about our GitHub integration.

Can CursorGuard modify my code?

No. Our GitHub App only requests read-only access to repository contents. We cannot push commits, modify files, or make any changes to your repositories.

How long do you store my source code?

We don't store your source code at all. Code is cloned to a temporary directory inside an isolated Docker container, scanned, and immediately deleted. Only vulnerability metadata (file paths, line numbers, descriptions) is retained.

What happens if I uninstall the GitHub App?

When you uninstall, we receive a webhook from GitHub and remove your installation record and synced repositories from our database. Your scan history and vulnerability reports are retained for your reference.

Can I control which repositories CursorGuard can access?

Yes. During installation, GitHub lets you choose "All repositories" or "Only select repositories." You can modify this at any time from your GitHub settings.

Do you have access to my private repositories?

Only if you explicitly grant access during the GitHub App installation. You have full control over which repositories (public or private) we can access.

What if a token is intercepted?

Installation tokens expire after 1 hour and are scoped only to the repositories you've granted access to. Even if intercepted, the damage window is extremely limited, and tokens cannot be used to access other repositories.

How do you verify webhook authenticity?

Every webhook from GitHub includes a cryptographic signature (HMAC SHA256) that we verify using our webhook secret. Requests with invalid signatures are rejected immediately.

Connect Your GitHub in 60 Seconds

Experience seamless, secure scanning with our GitHub App integration. Get started with 3 free scans per month. No credit card required.

Get Started Free View All Plans

Secure GitHub Integration