Frequently asked questions
Everything you should know before installing. If your question is not here, email us at info@gitsnitch.app.
Permissions & data
What permissions does the GitHub App request?
GitSnitch requests read-only access to five things: repository metadata (so we can list and display repos), repository contents (so we can clone commit ranges for secret scanning), organization members (to detect new admin additions), webhooks (to receive event notifications from GitHub), and security advisories (for advisory alerts). We request no write permissions of any kind.
Does GitSnitch store my source code?
No. For secret scanning, we clone the affected commit range to a temporary working directory on our server. The scan runs using the open-source gitleaks engine, and the clone is deleted immediately after the scan completes — typically within a few minutes. We store only the alert metadata: the file path, line number, commit SHA, author, and a redacted representation of the matched pattern. Your source code never touches a database.
How are OAuth tokens and credentials secured?
GitHub OAuth tokens are encrypted at rest using AES-256 before being stored. All traffic between your browser, the GitSnitch API, and GitHub uses TLS. Session tokens are stored as signed JWTs with a configurable expiry.
Can GitSnitch modify my repositories or settings?
No. The GitHub App is strictly read-only. It cannot push commits, merge pull requests, create or delete branches, modify branch protection rules, create issues, or change any repository or organization settings. If you ever see a GitHub permission prompt that includes write access, do not install that version — contact us.
Where is my data stored?
GitSnitch runs on AWS. Alert data and account information are stored in a PostgreSQL database. Data is stored in the us-east-1 region. If your organization has data residency requirements, contact us before installing.
How it works
How does secret scanning work?
When a push event arrives, GitSnitch queues a scan job for the affected commit range. The worker clones the repository using a short-lived GitHub App installation token, runs gitleaks against the new commits, and fires a Secret Exposed alert for each finding. The gitleaks rule set covers over 100 secret patterns including AWS keys, GitHub tokens, Stripe keys, and generic high-entropy strings. The clone is deleted after the scan. Scanning typically completes within 1–3 minutes of the push.
How quickly do alerts fire?
Most alert types fire within seconds of the GitHub webhook arriving. Admin change, force push, branch protection, PR merge, and security advisory alerts are processed synchronously as webhooks are received. Secret scanning alerts take 1–3 minutes because they require cloning and scanning the commit range.
What exactly is "after-hours commit" detection?
Whenever a push event arrives, GitSnitch checks the commit timestamp against configured business hours. The default window is 08:00–18:00 UTC, Monday through Friday. Commits pushed outside that window generate an After-Hours Commit alert. Configurable per-organization business hours and timezone are on the roadmap.
What is dormant admin detection?
GitSnitch tracks activity for all organization admins. If an admin account has had no recorded activity for 90 or more days and then suddenly becomes active — by pushing a commit, merging a PR, or being added to a repository — a Dormant Admin Activity alert fires. This is a common pattern when a stale admin account is compromised.
What GitHub events are monitored?
GitSnitch receives and processes: push events (force push detection, secret scanning, after-hours commits, activity tracking), pull request events (PR merge audit trail), member events (new collaborator alerts), organization events (new org admin alerts), branch protection rule events, repository ruleset events, installation events (app install/uninstall), and security advisory events.
Billing & plans
Do I need a credit card for the Free plan?
No. Install the GitHub App and you are automatically on the Free plan. No payment information is required until you choose to upgrade.
What is the difference between Free and Team?
The Free plan covers 1 organization, up to 3 repositories, and 7 days of alert history. All eight alert types fire on Free, but forensic detail — the exact file path, line number, commit SHA, and matched secret pattern — is redacted. You will see that a secret was found, but you will need to upgrade to Team to see where it is and remediate it. Team also unlocks Slack and email notifications and 90 days of alert history.
Why is forensic detail gated behind the Team plan?
The free alert tells you something happened and lets you verify it yourself in GitHub. The paid alert tells you exactly what happened, where, and who did it — the information you need to remediate quickly. We think this is a fair trade-off that makes the free tier genuinely useful without giving away the core value of the product.
How does annual billing work?
The Team plan is $49/month on a monthly billing cycle. If you pay annually, the rate drops to $39/month ($468/year) — a 20% saving. Annual billing is available from the billing page in your dashboard after you upgrade.
Can I cancel at any time?
Yes. Cancel from the Billing page in your dashboard. Your access continues until the end of the current billing period. You will not be charged again after cancellation.
What is the Enterprise plan?
Enterprise is for organizations that need to monitor multiple GitHub organizations under one account, require custom alert retention periods, have procurement or MSA requirements, or need custom integrations (such as Splunk HEC). Pricing starts at $499/month and is customized from there. Contact us at info@gitsnitch.app.
Is there a free trial for the Team plan?
Not yet, but we are considering a 14-day trial. In the meantime, the Free plan gives you a real sense of the product. If you want to evaluate Team features before committing, contact us and we can arrange a trial.
Notifications
What notification channels are supported?
Slack (via incoming webhook) and email are supported on the Team plan. Neither channel is available on the Free plan — alerts are visible in the dashboard only. Microsoft Teams, PagerDuty, and Webex Teams are on the roadmap. If a specific channel is critical for your team, let us know — it helps us prioritize.
How do I connect Slack?
From Settings in your dashboard, paste a Slack incoming webhook URL and optionally a channel name. GitSnitch will send a formatted attachment for each alert, including severity color-coding and relevant fields like the actor and repository.
Can I receive only certain alert types?
Per-alert-type notification filtering is on the roadmap. Today, all enabled alert types are sent to all configured notification channels. You can acknowledge or dismiss alerts in the dashboard to keep things tidy.
Setup & compatibility
Does GitSnitch work with GitHub.com or GitHub Enterprise Server?
GitSnitch currently works with GitHub.com organizations. GitHub Enterprise Server (self-hosted) support is on the roadmap.
Do I need to be an organization owner to install?
Yes. Installing a GitHub App on an organization requires organization owner permissions. Once installed, any organization member with access to the GitSnitch dashboard can view alerts.
What if I uninstall the GitHub App?
Uninstalling removes all webhook subscriptions immediately. GitSnitch will stop receiving events and no further alerts will be generated. Your existing alert history is retained for 30 days before being deleted, in case you reinstall.
Still have questions?
We are a small team and we read every email. Reach us at info@gitsnitch.app. For enterprise inquiries or to arrange a demo, use the same address.