--- title: Security description: Learn more about the applications permissions and Mergify's security obsession. --- import Button from '../../components/Button.astro'; At Mergify, security is of utmost importance to us. We understand the crucial role we play in the software development process and are fully committed to earning and maintaining the trust of our users. Our Security page is dedicated to providing transparency regarding our security measures and practices. We continually strive to improve the safety and reliability of our platform, ensuring that your repositories and code are well-protected. ## Trust Report Our Trust Report is designed to provide transparency and instill confidence in our customers. By sharing our compliance reports and offering insights into our security practices, we aim to demonstrate our unwavering dedication to safeguarding your valuable information. We invite you to explore this documentation and learn more about how we prioritize your trust. Click the button above to access our Trust Report page, where you will find in-depth information on our security measures and our ongoing commitment to protecting your data. ## Bug Bounty Program Mergify hosts a public Bug Bounty program with HackerOne. If you're an independent security expert or researcher and believe you've discovered a security-related issue on our platform, we appreciate you disclosing the issue to us responsibly, and thank you for your time and expertise. ## Contacting Us About Security Concerns At Mergify, we prioritize the security of our platform and the safety of our users. If you have any security-related questions, concerns, please reach out directly to our dedicated security team at security@mergify.com. We appreciate your collaboration in ensuring the security of Mergify and its community. Rest assured, all communications related to security matters will be treated with the highest priority and confidentiality. ## GitHub App Required Permissions Below is the list of the required permission on GitHub for Mergify to function properly.

Permission	Access	Usage
Repository: Actions	Read-only	Used to read workflow details.
Repository: Administration	Read-only	Used to access team details.
Repository: Checks	Read and write	Used to read and post checks.
Repository: Commit statuses	Read-only	Used to read checks status.
Repository: Contents	Read and write	Used to read repository content and write (merge).
Repository: Deployments	Read and write	Used to read and post deployments status.
Repository: Issues	Read and write	Used to close issues on merge.
Repository: Metadata	Read-only	Access repository metadata.
Repository: Merge queues	Read-only	Used to receive GitHub merge queues events.
Repository: Pages	Read and write	Write required to trigger page workflow on merge.
Repository: Pull requests	Read and write	Used to read and edit pull requests.
Repository: Workflows	Read and write	Used to read workflows and merge pull requests modifying workflows.
Organization: Members	Read-only	Used to list organization members.
Account: Email addresses	Read-only	Used to read user email addresses.

## User Permissions To perform any actions on Mergify, such as adding a pull request in a merge queue or triggering a command, a person must have sufficient access to the relevant account or resource. This access is controlled by permissions. A permission is the ability to perform a specific action. A role is a set of permissions you can assign to individuals or teams. Mergify users inherit their roles directly from [GitHub roles](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization). That means that a user that has the `Read` role for a repository in GitHub will also inherit this role in Mergify. ### Features Permissions

Feature	Read	Triage	Write	Maintain	Admin
View the merge queue	✓	✓	✓	✓	✓
Pause the merge queue	✗	✗	✓	✓	✓
Manage API keys	✗	✗	✗	✗	✓
Manage Mergify subscription	✗	✗	✗	✗	✓

:::note Non-admin users might be able to manage permissions on demand. Contact our support to request a non-admin to get access to Mergify subscription and billing details. ::: ### Command Permissions [Mergify commands](/commands) are [restricted by default](/commands/restrictions/#default-restrictions) and have their own mechanism that can be modified. See [Commands Restrictions](/commands/restrictions/) for changing the default. ## Managing IP Addresses Allowed for the GitHub App [GitHub allows to configure the list of IP adresses](https://docs.github.com/en/apps/maintaining-github-apps/managing-allowed-ip-addresses-for-a-github-app) that a GitHub App is allowed to use to access GitHub. Mergify services use the following IP addresses: - 34.121.26.35/32 - 34.45.103.142/32 - 34.69.118.185/32 :::note Even though these IP addresses will appear in the GitHub allow list as "Managed by Mergify GitHub App", they must be manually added to the list by an organization administrator. GitHub does not allow OAuth authentication to our dashboard if IPs have not been manually added to the list. :::