Data access & permissions

Before you connect anything, here is exactly what ShipReady Metrics reads from each system — the scopes it requests, what it pulls, and which scores that data feeds.

What is kept is narrower than what is read — and the detail matters more than the slogan:

  • Your source code is never stored. No repository is ever cloned. A short, fixed list of manifest files is fetched, parsed in memory to detect runtime versions, and discarded — file contents are never written down.
  • The scoring inputs behind each run are aggregates: counts, ratios, and totals.
  • Supporting metrics do carry identifiers, where a number is only useful attached to the thing it describes. Per-repository breakdowns carry repository names; contributor breakdowns carry the contributor name from your source system; findings carry the affected resource. A finding you can’t name is a finding nobody can fix.
Source code never stored Credentials encrypted at rest (AES-256-GCM)

DevOps & Code

GitHub

Available now

Personal access token (fine-grained, read-only)

Scopes requested

Contents (read)Metadata (read)Pull requests (read)Actions (read)Organization (read)

Scores it feeds

Delivery HealthTechnical DebtIT ModernizationLifecycle RiskSecurity Readiness

What it reads

Org/user, repositories, branches & protection, commits, pull requests (open age, merged, review & cycle time), issues, releases, Actions workflows/runs (failures, duration), deployments where available, contributors, stale repos, repo file-tree signals for containers/IaC/platform artifacts, runtime version files, Dependabot/code-scanning/secret-scanning alerts.

GitLab

Available — setup required

Personal or group access token (read_api)

Scopes requested

read_apiread_repository

Scores it feeds

Delivery HealthTechnical DebtSecurity Readiness

What it reads

Groups, projects, merge requests (open + merged + cycle time), pipelines & failures, deployments, releases, vulnerability findings (where licensed), stale projects.

Gitea

Available — setup required

Access token (read-only)

Scopes requested

read:repositoryread:userread:organization

Scores it feeds

Delivery HealthTechnical Debt

What it reads

Accessible repositories (active/stale by last update), pull requests (open + merged 30d + merge cycle time), releases, and CI-workflow presence (.gitea/workflows or .github/workflows) across a repo sample. Gitea exposes no vulnerability-scan API, so Security Readiness is omitted rather than faked.

Vercel

Available — setup required

Access token

Scopes requested

Read projectsRead deployments

Scores it feeds

Delivery Health

What it reads

Projects and the last 30 days of deployments: production deployment frequency (per week), change-failure rate (failed vs. successful production deploys), and average build duration. Vercel exposes no commit timestamp, so commit→prod lead time is omitted (not faked), and it has no vulnerability-scan API, so Security Readiness is not fed.

Atlassian (Jira + Bitbucket)

Available — setup required

Jira API token (+ optional Bitbucket app password)

Scopes requested

read:jira-workread:jira-userrepository:readpipeline:read

Scores it feeds

Delivery Health

What it reads

Jira: projects, 30-day throughput, created→resolved lead time, open/aging issues. Bitbucket (optional): repository count + pipeline cadence & failure rate across a repo sample.

Azure DevOps

Available — setup required

Personal Access Token (read-only)

Scopes requested

Code (read)Build (read)Work Items (read)Project & Team (read)

Scores it feeds

Delivery HealthTechnical Debt

What it reads

Organization + projects, Git repositories, completed builds over the last 30 days (deployment frequency + change-failure rate), and Boards work items (30-day throughput, created→closed lead time, open/aging) for Delivery Health; plus, across a repository sample, latest-commit staleness (legacy-code debt), build-pipeline coverage (test debt), and branch-policy coverage (architecture debt) for Technical Debt.

Cloud

Supabase

Available — setup required

Personal access token

Scopes requested

Read projectsRead security advisors

Scores it feeds

Security ReadinessCloud HealthLifecycle Risk

What it reads

Projects (count + health status), each project's security-advisor lints by severity (ERROR→high, WARN→medium) as findings, and the Postgres engine version per project for the End-of-Life inventory. Advisor counts drive Security Readiness; a derived posture + project-health ratio feed Cloud Health.

Amazon Web Services

Available — setup required

Read-only access key (SecurityAudit + ViewOnlyAccess)

Scopes requested

SecurityAuditViewOnlyAccess

Scores it feeds

Security ReadinessCloud Health

What it reads

STS caller identity (validate), Security Hub active findings bucketed by severity (critical/high/medium), and Cost Explorer last-30-day unblended spend.

Microsoft Azure

Available — setup required

Entra ID service principal (Reader + optional Security Reader)

Scopes requested

ReaderSecurity Reader

Scores it feeds

Cloud HealthSecurity Readiness

What it reads

Subscription + resource-group + resource inventory (by type), Defender secure score, Defender security assessments (unhealthy = findings), and Advisor recommendations (cost / reliability / operational).

Google Cloud

Available — setup required

Service account key (Viewer + SCC Findings Viewer)

Scopes requested

roles/viewerroles/securitycenter.findingsViewer

Scores it feeds

Security ReadinessCloud Health

What it reads

Project info + Compute instance inventory, and (with an organization ID) Security Command Center active findings bucketed by severity.

Oracle Cloud Infrastructure

Available — setup required

API signing key on a read-only IAM group

Scopes requested

inspect all-resourcesread cloud-guard-familyread database-familyread usage-reportsread metricsread alarms

Scores it feeds

Cloud HealthSecurity ReadinessLifecycle Risk

What it reads

Authenticating user (validate), compartments, IAM users/groups/policies, Cloud Guard open problems bucketed by risk level (critical/high/medium), monitoring alarms + firing status, resource inventory count (Resource Search), Usage API last-30-day spend, and Oracle Database service posture: Autonomous Database + DB system availability, database versions (→ EOL inventory), and automatic-backup status.

Datadog

Available — setup required

API key + read-scoped application key

Scopes requested

monitors_readslos_readincidents_readusage_read

Scores it feeds

Delivery HealthCloud Health

What it reads

Current user validation, one bounded page of monitors and SLOs, bounded 30-day incidents, and optional usage-cost summaries. Licensed or unavailable endpoints are omitted rather than treated as clean.

Dynatrace

Available — setup required

Environment API token

Scopes requested

entities.readproblems.readslo.read

Scores it feeds

Delivery HealthCloud Health

What it reads

Environment validation, service count, bounded 30-day problems, and bounded SLO summaries. Missing scopes or licensed endpoints are tolerated and omitted.

Elastic

Available — setup required

Read-only API key or basic auth

Scopes requested

cluster monitoralerting readsecurity detections read

Scores it feeds

Cloud HealthSecurity Readiness

What it reads

Cluster health, one bounded alert-rule page, and size-zero detection aggregations by severity when Elastic Security is available.

OpenSearch

Available — setup required

Read-only API key or basic auth

Scopes requested

cluster monitoralerting readsecurity analytics read

Scores it feeds

Cloud HealthSecurity Readiness

What it reads

Cluster health, bounded Alerting monitor/alert summaries, and size-zero Security Analytics severity aggregations where installed.

Splunk

Available — setup required

Splunk bearer token

Scopes requested

server info readsaved searches readalerts readindexes read

Scores it feeds

Cloud HealthSecurity Readiness

What it reads

Server info validation, one bounded page of saved searches, one bounded page of fired alerts, and optional index counts. Raw search results and event bodies are never requested.

AI & Data

AI Spend (OpenAI + Anthropic)

Available — setup required

Provider admin API key(s) (read-only cost/usage)

Scopes requested

openai:cost:readanthropic:cost:read

Scores it feeds

AI ROI (spend)

What it reads

Trailing 30-day cost per provider (OpenAI, Anthropic), normalized to a monthly figure, into ai.spend.monthly_usd (per provider) + ai.spend.total_monthly_usd metrics.

Why you can trust this list

Every scope above is rendered directly from the same connector definitions the product enforces at connect time — this page can’t claim access the app doesn’t actually request. For how each score is computed from this data, see the methodology; for isolation, encryption, and subprocessors, see Trust & Security. Questions about a specific scope? info@persooninc.com.

Running a formal security review, or need a DPA, the subprocessor list, and SSO/SCIM before you roll this out? Talk to us about enterprise.

When you disconnect

Disconnecting a source removes the connector and permanently deletes its stored credentials right away. Scores and metrics already computed from it stay in your organization's history — that data is removed when you close the account or request erasure. For full retention horizons and deletion paths, see the Trust & Security data-retention policy.

See it on your own data

Connect a source and your Executive Overview populates as the first sync completes — about a minute for small orgs, several minutes for large estates.

Get your trial report