Security & Permissions
Updated: 25th January 2026
We believe transparency is essential to trust. This page explains exactly what Pull Checklist can access, what data we read, what actions we can take, and which third-party services are involved. Use this page for your compliance reviews and security assessments.
Repository Access
Pull Checklist uses a GitHub App to access your repositories. This means you have complete control over which repositories we can see.
How Access Works
- You choose which repositories to grant access to during installation. You can select specific repositories or grant access to all repositories in your organization.
- Repositories not granted cannot be seen by Pull Checklist. We have no visibility into repositories you have not explicitly authorized.
- You can modify access at any time through your GitHub App installation settings. Add or remove repositories as your needs change.
- Revoking access is instant. Uninstall the GitHub App or remove specific repositories, and we immediately lose all access.
Why Some Repositories May Not Appear
If a repository does not appear in Pull Checklist, it may be because:
- The GitHub App is not installed for that repository
- You selected specific repositories during installation and did not include it
- Organization policies restrict third-party app access
Data Scope
Below is exactly what Pull Checklist reads and what we never access. We follow the principle of minimal data access and only read what is necessary to provide checklist functionality.
What We Read
Pull Request Metadata
Title, author, timestamps, labels, and status
File Paths Changed
Names and paths of files modified (not the content)
Review Status
Approval status, requested reviewers, and review comments
Commit Messages
Commit messages associated with pull requests
PR Descriptions
The description text you write for pull requests
What We Never Read
Source Code Content
The actual code inside your files
Commit Diffs
Line-by-line changes in your commits
Secrets or Credentials
Environment variables, API keys, or tokens
Private Conversations
Direct messages or private discussions
Other GitHub Data
Projects, wikis, discussions, or actions logs
Permissions & Actions
Below are the GitHub permissions we request and why, plus a clear list of what we can and cannot do with your repositories.
GitHub Permissions Requested
| Permission | Access Level | Purpose |
|---|---|---|
| Pull Requests | Read & Write | Read PR details and post checklist comments |
| Checks | Write | Create status checks to show checklist completion |
| Issues | Read | Read issue references linked in pull requests |
| Repository Metadata | Read | Read repository name, settings, and collaborators |
| Webhooks | Read & Write | Receive notifications when PRs are opened or updated |
What Pull Checklist Can Do
- Post checklist comments on pull requests
- Create and update status checks
- Request reviews from team members
- Read pull request metadata and comments
What Pull Checklist Cannot Do
- Merge pull requests
- Modify, delete, or commit code
- Access repository contents or source files
- Change repository settings or permissions
- Access data from repositories not granted
- Delete branches, issues, or comments
Third-Party Services
Pull Checklist uses the following third-party services. Links to their security documentation are provided for your review.
Data sharing: We do not sell your data. Third-party services only receive the minimum data necessary for their function. Repository code and content are never shared with analytics or support services.
Questions?
If you have security questions or need additional information for your compliance review, contact us at hello@pullchecklist.com. We are happy to complete security questionnaires or provide additional documentation.