Direct repository access
Find users with repo access that bypasses the normal GitHub team model.
Audit repository access. Review team permissions. Find direct grants, outside collaborators, and stale access paths before they become someone else's incident.
Let org admins delegate repo-team access work without handing out GitHub org admin.
Read-only first scan. No code cloned. No signup required to see the first audit results.
When repository access stops fitting in your head, GitHub turns into a slow manual audit.
Free audit scope
A GitHub repository access audit should show the quiet paths where permissions drift: direct grants, outside collaborators, stale access, and teams with broader access than intended.
Find users with repo access that bypasses the normal GitHub team model.
Separate vendor, contractor, and temporary access from staff-team permissions.
Spot teams whose repository permissions no longer match ownership or support boundaries.
Review high-privilege access before it becomes the default operating model.
Check the quiet exceptions that outlive leavers, team moves, and vendor work.
Surface repositories where nobody can quickly answer who should approve access.
GitHub governance guides
Short, practical guides for the GitHub access problems that usually show up before an audit, offboarding review, or team restructure.
Use the minimum GitHub permissions needed for read-only audits and controlled write workflows.
Delegation Repo-team access without org adminLet operators handle access cleanup without giving them broad GitHub organization power.
Comparison repod vs safe-settingsChoose between repository settings enforcement and reviewable access policy-as-code.
Offboarding Remove stale GitHub accessReview teams, direct grants, outside collaborators, and service accounts after role changes.
Structure repo access through teams, reduce manual admin, and make changes safer.
Stop handling joiners, leavers, and access changes one repo at a time.
See the export, review, and apply workflow.
See what will change before syncing updates back to GitHub.
Need a cleaner starting point? Read our GitHub repository permissions audit checklist.
Replace direct repo-by-repo permissions with a cleaner team-based model.
Need tighter boundaries? See our private GitHub repo visibility use case.
Let org admins keep control while maintainers and operators handle repo-team access work, without adding a Terraform workflow or an enterprise stack.
Learn how to delegate GitHub repo-team access without org admin, or read the broader GitHub org permissions governance guide.
How it works
Four steps to understand, improve, and prove GitHub governance without handing out org admin.
$ repod connect github
org: acme-platform
token: github_pat_••••
scope: read-only org access
Connect one GitHub org with read-only permissions.
Scanning access…
repos: 296
teams: 18
direct grants: 113
outside collaborators: 8
repod maps repo-team access, direct grants, outside collaborators, and unowned repos.
Workbook workflow
export mapping.xlsx
edit access columns
preview diff
apply approved changes
Use the planner to fix risky access without handing out GitHub org admin.
Governance report
score: 40 → 78
direct grants: 113 → 18
evidence: exported
status: audit-ready
Generate audit-ready evidence and show measurable improvement over time.
Based on our operational model, teams with 300-700 repos typically save £3.8k-£9k per year in loaded engineering cost.
1 orgs · 20 repos · 3 teams
1 orgs · 200 repos · 20 teams
2 orgs · 500 repos · 100 teams
1 orgs · 500 repos · 125 teams
Start with repository ownership, team mappings, direct user grants, outside collaborators, and high-privilege access. repod turns that into an org-wide access audit instead of a repo-by-repo click exercise.
For the manual review path, read the GitHub repo access audit guide or use the GitHub repository permissions audit checklist.
Direct repository access is any user-to-repo grant that bypasses the normal team model. repod helps surface those grants so admins can decide whether they are justified exceptions or access drift.
For the model decision, read GitHub Team permissions vs direct repository access.
Review the teams attached to each repository, their permission levels, inherited access paths, and whether the mapping still matches ownership. repod exports and previews repo-team access so changes can be reviewed before apply.
For the product workflow, read how to export, review, and apply GitHub repo-team access changes.
Check org membership, team membership, direct repository grants, outside collaborators, service accounts, and old exceptions. The goal is to remove both the obvious access and the quiet access paths that outlive the person or vendor.
For the process, read the GitHub offboarding playbook.
Outside collaborators should be reviewed separately from staff teams because they often represent vendor, contractor, or temporary access. repod helps make those exceptions visible during access review.
The GitHub repository permissions audit checklist includes outside collaborators, direct grants, and other common exception paths.
Usually no. Easy contribution is good, but blanket write access changes the risk model once repos use GitHub Actions, packages, deploy paths, and sensitive branch rules.
A better pattern is fast, reviewable access for the right repo. For the detail, read why blanket GitHub write access is risky.
GitHub Teams can express the model. The hard part is reviewing and cleaning access across many repos and teams once direct grants and exceptions have built up. repod gives you one review surface, bulk edits, and a safer change path.
For the access model decision, read GitHub Team permissions vs direct repository access.
Repod provides Terraform-like governance outcomes for GitHub access management without requiring teams to adopt GitHub-as-code. Terraform is better for engineering teams that want GitHub org resources fully declared in code. repod is better for teams that need visibility, audit evidence, access cleanup, compliance workflows, and safe guided remediation.
For the lighter operating path, read how to export, review, and apply GitHub repo-team access changes.
It is similar in the narrow sense that YAML can describe desired access outcomes, and repod can preview and apply controlled changes. It is not Terraform: repod does not use Terraform state, providers, or a full GitHub-org-as-code lifecycle.
Repod's YAML workflow is an operational control layer for team-repo permissions, team settings and hierarchy, team memberships, and direct-collaborator exceptions. The difference is that repod wraps those changes in review, risk warnings, RBAC, audit evidence, and compliance context.
Use gh-iga when you want a local scanner, github-org-manager when your org is ready for YAML-based org management, and safe-settings when continuous repository settings enforcement is the main job. repod fits when GitHub access policy needs a reviewable workflow: direct grants, private repo coverage, team ownership, delegated review, controlled cleanup, and audit evidence.
Read the detailed comparisons: repod vs gh-iga, repod vs github-org-manager, and repod vs safe-settings.
repod supports fine-grained GitHub PAT auth and GitHub App beta. Audit/read mode uses read-oriented access to org settings, repository metadata, members, teams, and repo-team permission state. Write mode is only needed when you ask repod to apply changes.
repod operates on GitHub organization metadata and access-control state. It does not clone repositories or process source code contents in normal operation. For setup details, read the GitHub fine-grained PAT scopes for repod.
repod is built around previewing repo-team changes before apply so you can inspect removals, new team mappings, and the exact changes that will be pushed back to GitHub.
For the detailed workflow, read how to export, review, and apply GitHub repo-team access changes.
Start with the Security, Subprocessors, DPA, Vulnerability Disclosure, Privacy, Terms, and Trust Pack pages.
repod does not currently hold SOC 2, ISO 27001, or Cyber Essentials accreditation. The trust pages document the current controls without claiming external certification.