GitHub has rapidly become the most widely used open source code repository in the world. ThreatKey’s security assessment tool integrates through GitHub so that our customers can easily connect to GitHub, and seamlessly manage their GitHub security within our product.
In order to provide analytics, metrics and data visualization for security risk in GitHub repositories, ThreatKey uses OAuth2 to connect to GitHub in a read-only manner. This is a first-class integration, which means ThreatKey has been approved by GitHub for their API program. This allows users to connect their GitHub organization to ThreatKey without sharing their credentials with ThreatKey. Instead, users install and authorize the connection using their GitHub credentials.
When connecting a user's account to ThreatKey via OAuth2, ThreatKey receives three key pieces of information:
- A unique refresh token that grants persistent access to a user's account until they revoke access in their organization's GitHub settings
- A short-lived access token which can be used immediately to make API requests on behalf of the user until it expires
- An endpoint from which we can obtain new access tokens that are valid for one hour