ScopeGuard

ScopeGuard is a web app (with a lightweight CLI) that audits API keys, OAuth apps, and service accounts across your integrations to detect excessive scopes, stale tokens, and risky third-party access. It connects to common platforms (GitHub, Google Workspace, Slack, AWS, Stripe, Salesforce) and continuously inventories what tokens exist, who owns them, what scopes they have, and when they were last used. It then flags least-privilege violations, missing rotation policies, and “shadow integrations” created outside IT/security. For engineering teams, it adds PR checks that block merging if new integration configs request dangerous scopes without justification. For security teams, it generates evidence-ready reports for SOC2/ISO and alerts when a vendor suddenly requests expanded permissions. This is not magic: coverage depends on each platform’s APIs, and some systems won’t expose full scope metadata. But where data exists, it saves real incident and audit time.