Back to blogPrivacy & Terms
9 min readCritique

5 Questions Before Installing an AI Code Review GitHub App

Permissions, tokens, data flow, checks, and deletion paths that separate a real pilot from a trust problem.

Why the hardest part is not the install button

The install flow is the easy part. Trust is the hard part.

Buyers rarely reject an AI review app because the idea is abstractly unsafe. They reject it because one of four things feels wrong: the permission set is broader than the use case, the token model is unclear, the check becomes noisy and starts blocking merges, or nobody can explain what happens to data when the app is removed.

That is why the first question is not "Can it review code?" It is "Can it review code without taking over the org?" GitHub's own documentation pushes in the same direction: choose the minimum permissions required, subscribe to the minimum webhooks, use a webhook secret, and keep credentials secure. That is the baseline. Anything beyond it needs a reason.

GitHub App or OAuth app?

If you are buying automation that runs inside a repository, a GitHub App is usually the cleaner fit. GitHub Apps are built for integrations. OAuth apps are built for user authorization. That distinction matters because it changes what the product can do, how it is scoped, and which token type should be used.

GitHub App vs OAuth app for AI review automation
SurfaceGitHub App patternWhy it matters
PermissionsChosen at registration, scoped to the minimum neededReduces blast radius on compromise or misconfiguration
Automation tokenInstallation access token (IAT) — expires in 1 hourBest fit for headless, app-level workflows
Human actionUser access token, only when acting on behalf of a userAvoids over-privileging background automation
WebhooksMinimum event set with a secret and signature validationLowers noise and spoofing risk
Exit pathDelete app registration → vendor-side cleanupMakes offboarding real and auditable

Question 1 — Permissions

What exact permissions do you need?

This is the first filter. If the vendor cannot map each permission to a single product feature, the scope is probably not disciplined enough. Ask for a plain table: permission, why it is needed, read or write, and whether the product ships without it. GitHub's permissions documentation is explicit that apps have no permissions by default and that the minimum set is the recommended starting point.

Permission Matrixhover a row for context
PermissionAccessHow often needed
Pull requests
Read or WriteOften
Posting review comments and reading PR metadata or file changes.
Contents
ReadOften
Reading files to analyze the code in context. Write is rarely needed for review.
Checks
WriteOften
Publishing the review result as a check run so it appears in branch protection.
Metadata
ReadAlways
Required by GitHub for all apps. Covers basic repo info.
Commit statuses
WriteSometimes
Some apps use statuses instead of check runs. Ask which model the vendor uses.
Actions
ReadRarely
Needed only if the review inspects CI workflow results. Not required for diff review.
Administration
WriteRarely
Rare edge cases only. No review tool needs this for routine analysis.— ask why
Members
ReadRarely
Org membership data. Needed only if review logic depends on who owns what.— ask why
Expected scope
Request written justification
Green flags
  • Vendor starts read-only where possible
  • Write access reserved for a clearly named action (comments, check runs)
  • Any administration scope has a written explanation
  • Permission table is part of the sales or security packet — not hidden in a demo
Red flags
  • "We need broad access to make the magic work"
  • Administration permissions without a crisp reason
  • No distinction between commenting, reviews, and checks
  • The answer changes depending on who you ask

Question 2 — Token model

Which token type powers the product?

This is where a lot of vendors blur the line between "the app" and "the user." For normal background automation, the default should be an installation access token. It is scoped to the app installation, not to a human, and GitHub says it expires after one hour. When you need the product to act on behalf of a person, then a user access token may be appropriate. That should be the exception, not the center of the architecture.

Ask the vendor: Does the core automation use installation access tokens? Are any long-lived user tokens or PATs stored? Can the token be narrowed to selected repositories? How is the private key stored? What happens if the token is compromised? GitHub's best-practices documentation is direct: private keys, tokens, and client secrets should be stored securely, private keys should never be hardcoded, and installation access tokens are for app-installation activity.

Green flags
  • Short-lived installation tokens for background automation
  • Secure storage for private keys and secrets (not hardcoded)
  • Explicit token revocation and rotation story
  • Clear explanation of when user-level authorization is needed
Red flags
  • "We store your users' PATs for convenience"
  • Public-client flow used where server-side installation token should exist
  • No answer for how private keys are stored
  • No plan for revocation or rotation on compromise

Question 3 — Data egress

What leaves GitHub?

This is the part most vendor pages compress into "we only process your code securely." That phrase is too vague to be useful.

Ask for a plain-English data map: what payload is sent to the vendor, whether it is diff-only, full-file, or repository-level context, whether the product creates embeddings or indexes, where model inference runs, what is logged, how long data is retained, whether support staff can see customer code, which subprocessors touch the data, and which region the data is processed in.

Green flags
  • Retention schedule that is easy to understand and verify
  • Deletion path for prompts, logs, embeddings, and backups
  • Documented list of subprocessors with roles
  • Clear attestation that customer code is not used for training
Red flags
  • "We encrypt everything" as a substitute for a real data-flow answer
  • No region story for international or regulated customers
  • No policy for prompt logging or retention
  • No attestation when the vendor claims data is deleted

Question 4 — Check behavior

What happens when the check is wrong?

AI review tools fail socially before they fail technically. Technically, the review may be "good enough." Socially, it can still become intolerable if it blocks merges too often or makes developers distrust the entire branch protection surface.

GitHub's checks model is visible in the pull request Checks tab, and check runs can include annotations on specific lines. That is useful when the signal is good. It is painful when the signal is noisy. If the product is serious, it should make the right thing easy: start optional, measure false positives, then graduate to required only when the signal is stable.

Green flags
  • Optional pilot mode available on install
  • Clear severity labels with actionable specifics
  • Rerun behavior that is predictable and stable
  • Rollback plan documented if the check gets noisy
  • Handles path filters and monorepo configurations
Red flags
  • Required check configured by default on install
  • Vague conclusions like "review completed" with no severity
  • Check names that don't explain what failed
  • Shame-heavy microcopy that trains developers to ignore the tool

Question 5 — Exit path

What happens when you uninstall?

This is the trust test that most sales conversations skip.

GitHub says deleting a GitHub App registration uninstalls it from all accounts where it is installed. That is the beginning of the exit story, not the end. You still need to know what happens to vendor-side data: prompts, logs, embeddings, cached artifacts, and backups. The right vendor does not make leaving feel like a punishment.

Green flags
  • Documented deletion SLA for all data categories
  • Clean uninstall rehearsal available in a staging org
  • Explicit statement about training exclusion
  • No ambiguity about partial deletion across multiple orgs
Red flags
  • "We do not keep your data" with no retention detail to back it up
  • No answer for backups or derived artifacts (embeddings)
  • No process for proving deletion happened (attestation)
  • Deletion story only appears after contract negotiations begin

Webhook hygiene that should not be optional

If the app uses webhooks, the basics are non-negotiable: enable only the events you actually need, create a webhook secret with high entropy, verify the X-Hub-Signature-256 header before processing the payload, store the secret securely, make the handler idempotent, and avoid leaking secrets into logs. GitHub says to validate signatures in constant time and to never modify the payload or headers before verification.

One-page vendor scorecard

Use this as a quick internal filter before anyone approves a pilot. If you cannot get a green flag in every row, you do not have a pilot yet.

FAQ

GitHub Apps are integrations that extend GitHub with automation. They are installed on an account or organization and can be granted specific permissions. GitHub documents them as the preferred pattern when you want to build an integration rather than a user-auth tool. Unlike OAuth apps, they operate under their own identity rather than impersonating a user.
For repository-level automation like AI code review, a GitHub App is almost always the better fit. It is designed around scoped permissions and installation access tokens — not user identity. OAuth apps are better when the product genuinely needs to act on behalf of a user, such as a developer-facing IDE integration that writes to a personal workspace.
Yes — if it is wired into required status checks, it can gate merges. This is a feature and a risk. The risk is that a noisy check trains developers to bypass branch protection entirely. That is why you should always start optional, measure false positive rates on a few sample PRs, and only require the check once the signal quality is stable and your team trusts it.
The first useful set is read access to pull requests and contents, plus write access to checks (for publishing review results). Some apps also need read access to commit statuses or actions. Administration permissions are almost never justified for a review tool — if a vendor asks for them, get a written explanation tied to a specific feature.
Ask where code is processed (country and cloud region), where logs live, which subprocessors are involved, whether embeddings are stored and for how long, and what happens to all of this on uninstall. If the vendor cannot answer in one clear pass, keep the pilot narrow — restrict it to non-sensitive repos and avoid pasting anything that would require a GDPR or SOC 2 review.
Do not make the check required. Add path filters to scope it down, look for a confidence or severity threshold setting, keep a human fallback, and track the false positive rate over two to three weeks before changing status. Most good tools have a "warning only" mode designed for exactly this period.
GitHub removes the app installation when the app registration is deleted. But that is only the GitHub side. You still need a vendor-side deletion answer for logs, model context, embeddings, derived artifacts, and backup tapes. Good vendors have a written policy and can provide an attestation. If they can't, treat that as a material vendor risk.
Critique is an AI code review tool built as a GitHub App. It uses a multi-agent architecture — a Scout that maps the repository, Specialist agents for security and logic, and a Lead Oracle that synthesises findings. Critique's approach is optional-first: checks start advisory and are only wired into required gates when you explicitly configure it. For specifics on permissions, data handling, and deletion — which are policy questions, not marketing — talk to the team directly.

Closing

Installing an AI code review GitHub App should feel boring in the best possible way: minimal permissions, short-lived tokens, explicit data handling, predictable check behavior, and a clean exit path documented before you sign.

If the vendor cannot answer the five questions cleanly, the safest choice is to wait.

Critique is in early access.

If you're an engineering leader evaluating AI PR review and want to see how Critique handles permissions, data, and checks — we should talk. We work with early design partners who want the infrastructure done right.

Get started →
← All essaysPrivacy & Terms

Ask about this essay

Nemotron-3-Super
Ask about the argument, the evidence, the structure, or how the post connects to Critique.
Not editorial advice · The essay above is the source of truth · Not saved to your account · OpenRouter privacy