Security model
What the bot accesses, what it stores, and how every webhook is verified.
The short version: your source code is processed in memory and never persisted. Every incoming webhook is HMAC-verified before any processing happens. The bot asks for the minimum GitHub permissions it needs to function — nothing more.
GitHub App permissions
When you install Revvu, GitHub asks you to approve these scopes. Each one maps directly to a feature you can see.
| Permission | Why we need it |
|---|---|
| pull_requests: write | To post inline review comments on your PRs. |
| contents: write | To auto-resolve fixed review threads. GitHub's resolveReviewThread GraphQL mutation requires this scope. |
| checks: write | To post the "Revvu Review" check status that appears on the PR's checks tab. |
| issues: read | To read PR comments for @mention detection. PR comments are issue comments under GitHub's API. |
What we store
- Review records — Metadata only — PR ID, repo, timestamp, severity counts. Never raw diffs or source code.
- Review comments — The comment text we posted to GitHub (which is already public on the PR), plus a fingerprint hash used for dedup on subsequent pushes.
- Repo settings — Your tuning of the roughly thirty config knobs that control review behavior.
- Team learnings — Only the rules you explicitly teach by replying to bot comments, scoped per-repo and never shared between repos.
What we do not store
- Raw diff content — Diffs are processed in memory and discarded after the review completes. No row in any table contains a diff.
- Full file source — Files fetched during enrichment are held in memory only for the review's duration, then dropped.
- GitHub access tokens — We use GitHub App installation tokens that expire in roughly an hour. We never request or store long-lived personal access tokens.
- Logs of source code — Application logs do not include diff bodies, file contents, or PR text. Logs are limited to identifiers, status codes, and timing.
Webhook verification
Every incoming GitHub webhook is verified with HMAC-SHA-256 against the shared webhook secret before any processing. Requests with missing or invalid signatures are rejected with a 401 response immediately. The webhook handler does no work other than verifying the signature and enqueueing a background job — all review processing happens off the request path, in the background queue.
AI processing
To produce a review, the bot sends the PR's diff and a small set of contextual files to the AI inference endpoint for analysis. The provider receives this content for the duration of the request only. Per the inference provider's terms, your data is not used to train models. Revvu does not retain the diff after the review completes.
Network egress
Outbound calls from the Revvu backend are limited to the following destinations:
- GitHub's API — to fetch PR data and post comments, threads, and check runs.
- The AI inference endpoint — for review, summarization, and classification calls.
- Our database — to read and write review metadata, settings, learnings, and feedback records.