GitHub Permissions
What permissions SecurityChecks requests and why
GitHub App Permissions
When you install the SecurityChecks GitHub App, we request only the minimum permissions needed to scan your code and report results.
Permissions We Request
Repository Permissions
| Permission | Level | Why We Need It |
|---|---|---|
| Contents | Read | To clone and analyze your code during scans |
| Pull requests | Write | To post findings as PR comments |
| Checks | Write | To create check runs that block merges on critical findings |
| Metadata | Read | To list repositories you can connect |
Organization Permissions
| Permission | Level | Why We Need It |
|---|---|---|
| Members | Read | To sync team membership for access control |
What We DON'T Do
- We don't store your source code. Code is analyzed in memory and discarded.
- We don't access private data. We only read code files, not issues, wikis, or secrets.
- We don't modify your code. We only read and comment.
- We don't access other repos. Only repos you explicitly connect.
How Scans Work
- You trigger a scan (manually, on PR, or scheduled)
- We clone your repo to a secure, isolated environment
- We run our 100 security checkers against the code
- We generate findings with evidence
- We post results to your PR or dashboard
- We delete the cloned code immediately
Data Retention
- Findings: Stored for 12 months (configurable)
- Code snippets: Only the lines relevant to findings
- Full source: Never stored, deleted after scan
Revoking Access
You can revoke access at any time:
- Go to GitHub → Settings → Applications → Installed GitHub Apps
- Click SecurityChecks → Configure
- Click "Uninstall"
This immediately revokes all access. Your findings remain in SecurityChecks until you delete your project.
Questions?
Contact us at security@securitychecks.ai for any concerns about permissions or data handling.