Security
Mergify's security posture — compliance, data handling, access control, and the GitHub App permissions we request.
Mergify runs in front of GitHub to evaluate merge conditions and orchestrate your pipeline. This page documents our compliance posture, how we handle your data, the access controls in place, and the GitHub App permissions we request.
Compliance
Section titled ComplianceMergify is SOC 2 Type II attested. Reports, audit details, and our sub-processor list are available in the Trust Center.
A Data Processing Addendum (DPA) is available on request. Contact security@mergify.com.
Data Handling
Section titled Data Handling-
Encryption in transit: TLS 1.2 or higher.
-
Encryption at rest: persisted service data, such as configuration and metadata, is encrypted with AES-256.
-
Service status: real-time availability and incident history at status.mergify.com.
Access Control
Section titled Access ControlMergify does not maintain a separate identity or permission system. All authentication and authorization are delegated to GitHub:
-
Single sign-on: users sign in through GitHub, so any SSO policy you enforce on your GitHub organization (including SAML SSO) applies to Mergify.
-
Roles and permissions: Mergify users inherit their roles directly from GitHub roles. A user with the
Readrole on a repository in GitHub also has theReadrole in Mergify.
Some operations additionally require the GitHub organization Owner role.
See the Features Permissions table below for the
full mapping between GitHub roles and Mergify capabilities.
Vulnerability Disclosure
Section titled Vulnerability DisclosureMergify hosts a public Bug Bounty program with HackerOne. If you believe you’ve found a security issue on our platform, please disclose it responsibly.
For other security questions or concerns, contact our security team at security@mergify.com.
Reference
Section titled ReferenceMergify requests a fixed set of GitHub App permissions required for the product to operate. Some permissions are only exercised by specific features.
GitHub App Required Permissions
Section titled GitHub App Required PermissionsBelow is the list of the required permissions on GitHub for Mergify to function properly.
| Permission | Access | Usage |
|---|---|---|
| Repository: Actions | Read-only | Used to read workflow details. |
| Repository: Administration | Read-only | Used to access team details. |
| Repository: Checks | Read and write | Used to read and post checks. |
| Repository: Commit statuses | Read-only | Used to read checks status. |
| Repository: Contents | Read and write | Used to read repository content and write (merge). |
| Repository: Deployments | Read and write | Used to read and post deployments status. |
| Repository: Issues | Read and write | Used to close issues on merge. |
| Repository: Metadata | Read-only | Access repository metadata. |
| Repository: Merge queues | Read-only | Used to receive GitHub merge queues events. |
| Repository: Pages | Read and write | Write required to trigger page workflow on merge. |
| Repository: Pull requests | Read and write | Used to read and edit pull requests. |
| Repository: Workflows | Read and write | Used to read workflows and merge pull requests modifying workflows. |
| Organization: Members | Read-only | Used to list organization members. |
| Account: Email addresses | Read-only | Used to read user email addresses. |
Features Permissions
Section titled Features PermissionsTo perform any action on Mergify (such as adding a pull request to a merge queue or triggering a command), a user must have sufficient access to the relevant account or resource. Permissions are inherited from GitHub roles.
| Feature | Repository role | Organization role | ||||
|---|---|---|---|---|---|---|
| Read | Triage | Write | Maintain | Admin | Owner | |
| Merge Queue | ||||||
| View the merge queue | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Pause the merge queue | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ |
| Merge Protection | ||||||
| View merge protection status | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Edit merge protection rules in .mergify.yml | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ |
| Schedule a queue freeze | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ |
| CI Insights | ||||||
| View CI Insights data | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Activate CI Insights or configure its repositories | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ |
| Manage CI Insights Auto-Retry rules | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ |
| Configure CI Insights self-hosted runners | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ |
| Test Insights | ||||||
| View Test Insights data | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Quarantine or unquarantine tests | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ |
| Configure Test Insights Auto-Quarantine | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ |
| Account | ||||||
| Manage API keys | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ |
| Manage Mergify subscription | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ |
Command Permissions
Section titled Command PermissionsMergify commands are restricted by default and have their own mechanism that can be modified. See Commands Restrictions for changing the default.
Managing IP Addresses Allowed for the GitHub App
Section titled Managing IP Addresses Allowed for the GitHub AppGitHub allows you to configure the list of IP addresses that a GitHub App is allowed to use to access GitHub.
Mergify services use the following IP addresses:
- 34.121.26.35/32
- 34.45.103.142/32
- 34.69.118.185/32
- 136.119.26.243/32
Was this page helpful?
Thanks for your feedback!