Frequently Asked Questions

Common questions about Specmark — how it works, what it accesses, and how to get started.

What does Specmark do?: Specmark is an engineering guardrails platform. It continuously monitors your GitHub organization for drift, supply chain risks, and insecure practices — then helps you fix violations with one-click actions. Think of it as automated compliance enforcement for your engineering standards.
How does it work?: You install the Specmark GitHub App on your organization. Specmark receives webhook events (repo created, branch protection changed, workflow deleted, etc.) and evaluates your repositories against your configured standards in real time. When something drifts out of compliance, you get notified and can fix it instantly.
What permissions does the GitHub App need?: Specmark requests: Contents (Read) to detect file presence like README and CODEOWNERS; Actions (Read) to verify CI workflows; Administration (Read + Write) to check and fix branch protection rules; Pull requests (Read + Write) to open auto-fix PRs; Issues (Read + Write) to create violation issues; Secret scanning alerts (Read) to detect exposed secrets; Members (Read) to count active contributors for billing.
Is my source code accessed?: No. Specmark only reads metadata — repository settings, workflow status, and file presence (whether README.md or CODEOWNERS exists). We never read, store, or process your actual source code.
How is Specmark different from GitHub's built-in features?: GitHub provides individual repo settings, but no org-wide visibility or bulk enforcement. Specmark gives you a single dashboard across all repos, continuous monitoring via webhooks, one-click bulk actions to fix violations, and configurable severity levels with alerting. It turns scattered per-repo settings into a unified compliance posture.
What is the pricing?: Free for up to 10 repositories. Pro plan is $5 per developer per month and includes unlimited repos, custom rules, Slack notifications, and auto-fix actions. A developer is any GitHub user who has committed to a repository in your org in the past 90 days.
Can I self-host Specmark?: Not currently. The SaaS platform runs on Vercel + Neon + Inngest and is not designed for self-hosting. However, the guardrails engine (packages/scorecards) is MIT-licensed and can be embedded in your own tooling or CI pipelines.
Does Specmark support GitLab or Bitbucket?: Not yet. Specmark currently supports GitHub only. GitLab support is on the roadmap. If you are interested in early access, email [email protected].
How is my data stored?: Your data is stored in a Neon Postgres database (US region). We retain compliance results for as long as your account is active, plus 30 days after deletion. We never store source code. See the Privacy Policy for full details.
How do I uninstall Specmark?: Go to your organization's GitHub settings, navigate to Installed GitHub Apps, and click Uninstall next to Specmark. Your data will be automatically deleted 30 days after uninstallation. To request immediate deletion, email [email protected].

Still have questions?

Email [email protected] or open an issue on GitHub.