Security
Learn more about the applications permissions and Mergify's security obsession.
At Mergify, security is of utmost importance to us. We understand the crucial role we play in the software development process and are fully committed to earning and maintaining the trust of our users. Our Security page is dedicated to providing transparency regarding our security measures and practices. We continually strive to improve the safety and reliability of our platform, ensuring that your repositories and code are well-protected.
Trust Report
Section titled Trust ReportOur Trust Report is designed to provide transparency and instill confidence in our customers. By sharing our compliance reports and offering insights into our security practices, we aim to demonstrate our unwavering dedication to safeguarding your valuable information.
We invite you to explore this documentation and learn more about how we prioritize your trust. Click the button above to access our Trust Report page, where you will find in-depth information on our security measures and our ongoing commitment to protecting your data.
Bug Bounty Program
Section titled Bug Bounty ProgramMergify hosts a public Bug Bounty program with HackerOne. If you’re an independent security expert or researcher and believe you’ve discovered a security-related issue on our platform, we appreciate you disclosing the issue to us responsibly, and thank you for your time and expertise.
Contacting Us About Security Concerns
Section titled Contacting Us About Security ConcernsAt Mergify, we prioritize the security of our platform and the safety of our users. If you have any security-related questions, concerns, please reach out directly to our dedicated security team at security@mergify.com.
We appreciate your collaboration in ensuring the security of Mergify and its community. Rest assured, all communications related to security matters will be treated with the highest priority and confidentiality.
GitHub App Required Permissions
Section titled GitHub App Required PermissionsBelow is the list of the required permission on GitHub for Mergify to function properly.
| Permission | Access | Usage |
|---|---|---|
| Repository: Actions | Read-only | Used to read workflow details. |
| Repository: Administration | Read-only | Used to access team details. |
| Repository: Checks | Read and write | Used to read and post checks. |
| Repository: Commit statuses | Read-only | Used to read checks status. |
| Repository: Contents | Read and write | Used to read repository content and write (merge). |
| Repository: Issues | Read and write | Used to close issues on merge. |
| Repository: Metadata | Read-only | Access repository metadata. |
| Repository: Pages | Read and write | Write required to trigger page workflow on merge. |
| Repository: Pull requests | Read and write | Used to read and edit pull requests. |
| Repository: Workflows | Read and write | Used to read workflows and merge pull requests modifying workflows. |
| Organization: Members | Read-only | Used to list organization members. |
| Account: Email addresses | Read-only | Used to read user email addresses. |
User Permissions
Section titled User PermissionsTo perform any actions on Mergify, such as adding a pull request in a merge queue or triggering a command, a person must have sufficient access to the relevant account or resource. This access is controlled by permissions. A permission is the ability to perform a specific action. A role is a set of permissions you can assign to individuals or teams.
Mergify users inherit their roles directly from GitHub roles.
That means that a user that has the Read role for a repository in GitHub will
also inherit this role in Mergify.
Features Permissions
Section titled Features Permissions| Feature | Read | Triage | Write | Maintain | Admin |
|---|---|---|---|---|---|
| View the merge queues | |||||
| Freeze a merge queue | |||||
| Unfreeze a merge queue | |||||
| Pause merge queues | |||||
| Manage API keys | |||||
| Manage Mergify subscription |
Command Permissions
Section titled Command PermissionsMergify commands are restricted by default and have their own mechanism that can be modified. See Commands Restrictions for changing the default.
Managing IP Addresses Allowed for the GitHub App
Section titled Managing IP Addresses Allowed for the GitHub AppGitHub allows to configure the list of IP adresses that a GitHub App is allowed to use to access GitHub.
Mergify services do not use a single static IP address. Therefore, you must
allow the AWS EC2 us-east-1 IP addresses.
This list can be retrieved on AWS website or via this command:
curl -s https://ip-ranges.amazonaws.com/ip-ranges.json -o- | jq -r '.prefixes[] | select(.region=="us-east-1" and .service=="EC2") | .ip_prefix'