--- title: Security description: Mergify's security posture — compliance, data handling, access control, and the GitHub App permissions we request. --- Mergify runs in front of GitHub to evaluate merge conditions and orchestrate your pipeline. This page documents our compliance posture, how we handle your data, the access controls in place, and the GitHub App permissions we request. ## Compliance Mergify is **SOC 2 Type II** attested. Reports, audit details, and our sub-processor list are available in the Trust Center. A Data Processing Addendum (DPA) is available on request. Contact security@mergify.com. ## Data Handling :::tip Mergify processes repository contents in memory and does not persist them. ::: - **Encryption in transit:** TLS 1.2 or higher. - **Encryption at rest:** persisted service data, such as configuration and metadata, is encrypted with AES-256. - **Service status:** real-time availability and incident history at [status.mergify.com](https://status.mergify.com). ## Access Control Mergify does not maintain a separate identity or permission system. All authentication and authorization are delegated to GitHub: - **Single sign-on:** users sign in through GitHub, so any SSO policy you enforce on your GitHub organization (including SAML SSO) applies to Mergify. - **Roles and permissions:** Mergify users inherit their roles directly from [GitHub roles](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization). A user with the `Read` role on a repository in GitHub also has the `Read` role in Mergify. Some operations additionally require the GitHub organization `Owner` role. See the [Features Permissions](#features-permissions) table below for the full mapping between GitHub roles and Mergify capabilities. ## Vulnerability Disclosure Mergify hosts a public Bug Bounty program with HackerOne. If you believe you've found a security issue on our platform, please disclose it responsibly. For other security questions or concerns, contact our security team at security@mergify.com. ## Reference Mergify requests a fixed set of GitHub App permissions required for the product to operate. Some permissions are only exercised by specific features. ### GitHub App Required Permissions Below is the list of the required permissions on GitHub for Mergify to function properly.

Permission	Access	Usage
Repository: Actions	Read-only	Used to read workflow details.
Repository: Administration	Read-only	Used to access team details.
Repository: Checks	Read and write	Used to read and post checks.
Repository: Commit statuses	Read-only	Used to read checks status.
Repository: Contents	Read and write	Used to read repository content and write (merge).
Repository: Deployments	Read and write	Used to read and post deployments status.
Repository: Issues	Read and write	Used to close issues on merge.
Repository: Metadata	Read-only	Access repository metadata.
Repository: Merge queues	Read-only	Used to receive GitHub merge queues events.
Repository: Pages	Read and write	Write required to trigger page workflow on merge.
Repository: Pull requests	Read and write	Used to read and edit pull requests.
Repository: Workflows	Read and write	Used to read workflows and merge pull requests modifying workflows.
Organization: Members	Read-only	Used to list organization members.
Account: Email addresses	Read-only	Used to read user email addresses.

### Features Permissions To perform any action on Mergify (such as adding a pull request to a merge queue or triggering a command), a user must have sufficient access to the relevant account or resource. Permissions are inherited from GitHub roles.

Feature	Repository role					Organization role
Feature	Read	Triage	Write	Maintain	Admin	Owner
Merge Queue
View the merge queue	✓	✓	✓	✓	✓	✓
Pause the merge queue	✗	✗	✓	✓	✓	✓
Merge Protection
View merge protection status	✓	✓	✓	✓	✓	✓
Edit merge protection rules in `.mergify.yml`	✗	✗	✓	✓	✓	✓
Schedule a queue freeze	✗	✗	✓	✓	✓	✓
CI Insights
View CI Insights data	✓	✓	✓	✓	✓	✓
Activate CI Insights or configure its repositories	✗	✗	✗	✗	✗	✓
Manage CI Insights Auto-Retry rules	✗	✗	✗	✗	✗	✓
Configure CI Insights self-hosted runners	✗	✗	✗	✗	✗	✓
Test Insights
View Test Insights data	✓	✓	✓	✓	✓	✓
Quarantine or unquarantine tests	✗	✗	✓	✓	✓	✓
Configure Test Insights Auto-Quarantine	✗	✗	✓	✓	✓	✓
Account
Manage API keys	✗	✗	✗	✗	✗	✓
Manage Mergify subscription	✗	✗	✗	✗	✗	✓

:::note Non-admin users can be granted access to manage Mergify subscription and billing details on demand. Contact support to request it. ::: ### Command Permissions [Mergify commands](/commands) are [restricted by default](/commands/restrictions/#default-restrictions) and have their own mechanism that can be modified. See [Commands Restrictions](/commands/restrictions/) for changing the default. ## Managing IP Addresses Allowed for the GitHub App [GitHub allows you to configure the list of IP addresses](https://docs.github.com/en/apps/maintaining-github-apps/managing-allowed-ip-addresses-for-a-github-app) that a GitHub App is allowed to use to access GitHub. Mergify services use the following IP addresses: - 34.121.26.35/32 - 34.45.103.142/32 - 34.69.118.185/32 - 136.119.26.243/32 :::note Even though these IP addresses appear in the GitHub allow list as "Managed by Mergify GitHub App", they must be manually added to the list by an organization administrator. GitHub does not allow OAuth authentication to our dashboard if these IPs have not been manually added. :::