Security & Permissions Model
Security is a first-class feature in Ship Guard. This document explains the GitHub permissions we request, why we need them, how your data flows through the system, and how we protect your intellectual property.
π GitHub App Permissions (Scopes)β
Ship Guard operates as a GitHub App with minimal required permissions:
| Permission | Access | Why We Need It |
|---|---|---|
| Checks | Read & write | Create status checks (pass/fail), attach rule results to PRs |
| Pull requests | Read & write | Read PR metadata/diffs and post review comments with findings |
| Contents | Read-only | Read .github/ship-gaurd.yml and changed files for analysis |
| Commit statuses (optional) | Read | Display compatibility with legacy status checks tooling |
| Metadata | Read | Basic repo metadata (always granted by GitHub Apps) |
| Email address** | Read-only | Required to automatically create a Ship Guard user account upon app installation |
Data Minimization & Redactionβ
- Diff-only scope: AI checks operate on the PR diff, not the entire repo, unless explicitly scoped via
paths. - Secret redaction: Built-in filters attempt to redact tokens/keys before any AI call.
- Size limits:
maxFilesPerReview,maxFileSizeKB,maxTokenscontrol exposure and cost. - Path controls: Use
paths/excludePathsto further narrow inputs.
π§ RAG (Knowledge Base) Protectionsβ
When using RAG, only the top few relevant document snippets are included:
- Weighted retrieval ensures authoritative docs (ADRs, security policies) are prioritized.
- Configurable limits:
ragContext.maxDocs(1β10) andsimilarityThreshold(0.5β1.0). - Exclusion support: Place sensitive docs outside configured
rag_sourcesor exclude via globs.
ποΈ Data Retention & Loggingβ
- No code storage: We do not store your repository code or complete diffs.
- Ephemeral processing: PR content is processed in-memory for rule execution.
- Minimal logs: We log event IDs and rule execution metrics.
- Retention: Operational metadata retained for a limited period for debugging and abuse prevention.
- Opt-outs: Contact support to configure stricter retention or SSO-bound access.
π§Ύ Auditability & Evidenceβ
- Check Runs: Canonical, immutable records on each PR.
- Structured comments: Optional, with line anchors and error codes for traceability.
- Error codes & tags: Use
errorCodeandtagsfor compliance mapping and internal dashboards.
π‘οΈ IP Protection Commitmentsβ
- Principle of Least Privilege: Only the minimal GitHub scopes required.
- Data Minimization: Analyze only changed lines and necessary context.
- Redaction: Attempted removal of secrets and PII before AI calls.
- Transport Security: All network communication uses TLS.
- Model Providers: Industry-standard providers; prompts sanitized; strict token limits.
- No resale/sharing: We never sell or share your code or prompts with third parties.
βοΈ Security Features You Controlβ
- Branch Protection: Require Ship Guard checks to pass before merging.
- Global Settings (
settings):enableAIReviews: Toggle AI usage globallymaxFindings,maxFindingsInComment: Prevent noisy outputdisableComments,disableStatusChecks: Tighten surface areacommentTemplates: Standardize wording for audits
- AI Rule Controls (
ai-reviewparameters):maxTokens,ragContext.maxDocs,similarityThresholdsecurity.allowSensitiveFiles,security.enableContentFiltering,security.maxFilesPerReview
π§ͺ Validating Your Setup (Checklist)β
- Confirm only required GitHub scopes are enabled
- Set branch protection with βShip Guardβ as a required status check
- Use
paths/excludePathsto restrict sensitive areas - Set AI safety caps:
maxTokens,maxFilesPerReview, and content filtering - Keep RAG sources authoritative and non-sensitive
- Review logs/metadata policy with your security team