Skip to main content
Sigilix is a hosted GitHub App. This page details what permissions it requests, why, and how to scope its access.
Sigilix is in private beta. Join our private beta to get your account provisioned before installing the App.

Required permissions

The Sigilix GitHub App requests the following permissions on each repository it’s installed against:
PermissionAccessWhy
Pull requestsRead & writePost review comments and inline anchored findings
ContentsReadFetch the diff and surrounding code context
MetadataReadDefault — required by all GitHub Apps
IssuesRead & writeReply to @sigilix mentions on issues and PR threads
ChecksRead & writeOptionally publish a check run alongside the review

Required webhook events

Sigilix subscribes to these GitHub webhook events:
  • pull_requestopened, synchronize, reopened, ready_for_review
  • issue_comment — to handle @sigilix mentions
  • pull_request_review_comment — to handle inline-thread mentions
No other events are subscribed to. We don’t read commits to non-PR branches, push events, or releases.

Org-level vs. repo-level install

You can install Sigilix at two scopes:

All repositories (org-level)

Choose this if you want every existing and future repository to get reviews automatically. The install screen shows “All repositories” and lists what’s covered. Trade-offs:
  • ✅ Zero config when new repos are created
  • ✅ Consistent review coverage across the org
  • ⚠️ Sigilix will review every PR — if you have noisy/auto-PR-heavy repos (e.g., dependabot-only repos), filter them via sigilix.json pathFilters or use repo-level install instead.

Selected repositories

Choose this to opt-in repo by repo. You can add more later from the GitHub App settings page.

OAuth scopes (sign-in)

When you sign in at app.sigilix.ai, the OAuth flow requests:
  • read:user — fetch your GitHub username and email for the dashboard
  • read:org — list the organizations you can install the App into
These are read-only scopes used only at sign-in time. The actual review work uses the GitHub App installation token, scoped per-repo.

Access boundary

What Sigilix does:
  • Reads the diff and full file contents at the PR head SHA, scoped to files changed in the diff
  • Sends those file contents to its model providers (Anthropic, OpenAI-compatible, etc.) under their data-use terms
  • Discards the data after the review completes
  • Stores per-PR telemetry (review duration, finding counts, severity distribution) — no source code retained
What Sigilix doesn’t do:
  • Read your code outside of opened pull requests
  • Train, fine-tune, or evaluate models on your code
  • Share your code with other customers
  • Access secrets in your repository (we read source files, not GitHub Actions secrets or environment variables)
For full data handling details, see the Sigilix Trust page, or contact support@sigilix.ai.

Uninstalling

Uninstall the App at any time from your GitHub App settings: Uninstalling immediately revokes Sigilix’s access. No further reviews are posted. Past reviews remain on PRs as historical comments.