To perform an in-depth cybersecurity risk assessment, we require read access to your Source Code Management (SCM) system. We will conduct a thorough code review, analyze third-party packages, and examine build files, among other steps. Throughout this process, we take care to avoid any unintended interaction with your original code.
Instead of forking your repository, you can grant us secure, scoped, read-only access by generating a Fine-Grained Personal Access Token in GitHub. This avoids creating any copies of your code and keeps everything contained within your existing repository.
Please follow these steps to generate a token and share it with us:
1. Navigate to your GitHub profile settings at https://github.com/settings/profile.
2. Scroll to the bottom of the left-hand sidebar and click Developer settings (it appears under the Archives section).
3. Expand Personal access tokens and select Fine-grained tokens.
4. Click Generate new token in the top-right corner.
5. Configure the token with the following settings:
- Token name — give it a descriptive name, e.g.
cleargate-code-review - Expiration — set to approximately 30 days. This limits the window of access and the token will automatically expire after the review period.
- Resource owner — select the organisation or account that owns the repositories.
- Repository access — choose “Only select repositories”, then click Select repositories and pick only the specific repository (or repositories) we need to review. Do not choose “All repositories”.
6. Under Permissions, grant the following read-only permissions:
- Contents — Read-only (allows us to clone and read the source code)
- Metadata — Read-only (required by default)
No other permissions are needed. Do not enable write, admin, or any other scopes.
7. Click Generate token and copy the token value.
8. Send the token to us via a secure channel — for example, using a secrets-sharing service such as onetimesecret.com, or via encrypted email. Do not send tokens in plain-text email.
Why This Approach
| Benefit | Detail |
|---|---|
| No fork or copy created | Your code stays in your repository only — no independent snapshots are created. |
| Scoped access | The token is restricted to only the repositories you select. |
| Read-only | We cannot push, merge, or modify anything in your repository. |
| Time-limited | The token expires automatically after the period you set (~30 days), removing access without any manual cleanup. |
| Revocable | You can revoke the token at any time from Developer settings if you need to remove access sooner. |
After the Review
Once our assessment is complete, the token will expire automatically. If you wish to revoke access before the expiry date, navigate to GitHub > Settings > Developer settings > Personal access tokens > Fine-grained tokens, locate the token you created, and click Delete.
If you have any questions about this process, please don’t hesitate to reach out.