Appearance
Security Overview
This page outlines what access you grant and how we handle your data during a scan.
GitHub App Permissions
When you install the Almanax GitHub App you grant access scoped for analysis and CI/CD reporting:
| Permission | Access | Reason |
|---|---|---|
| Checks | Read & Write | Create/update GitHub Checks for CI/CD gating. |
| Commit Statuses | Read & Write | Create/update commit statuses for CI/CD gating. |
| Contents | Read-only | Fetch your repository’s files so we can analyze them. |
| Issues | Read & Write | Future workflows for commenting or ticket sync. |
| Metadata | Read-only | Identify repositories, branches, and pull requests. |
| Pull Requests | Read & Write | Post scan results as PR comments and manage reviews. |
Ephemeral Work Environment
- For each scan we create a temporary working directory on a build node inside our secure infrastructure.
- Your repository is cloned into that working directory using a short-lived OAuth token.
- The scan runs; findings are stored in our database, not the source code.
- After the scan completes, the working directory (and all cloned files) is automatically deleted.
This approach ensures your code is never persisted outside the scanning window.
Data Retention
• Only metadata (file paths, commit hash) and the AI-generated findings are saved.
• We keep logs for troubleshooting for a limited time.
• You can delete a scan at any time; associated findings are purged immediately.
Encryption & Transit
• Connections from your browser or CI runners to Almanax services use HTTPS (TLS 1.2+).
• Persistent storage resources (EFS, RDS, S3) are configured with AWS-managed encryption at rest (AES-256 / KMS); any temporary working directories are deleted after each scan.