Can Codowave Run on Private GitHub Repos?
Yes. Codowave is designed to work with private GitHub repositories — that's the most common setup for production codebases. Here's exactly how it works, what access Codowave requests, and what controls you have.
Start your 5-day trialHow Codowave Accesses Your Private Repo
Codowave uses the GitHub App model. When you install Codowave, you authorize a GitHub App — not a personal access token — on specific repositories you select.
GitHub Apps have a well-defined, scoped permission model:
| Permission | Scope | Why Codowave Needs It |
|---|---|---|
| Issues | Read + Write | Read backlog issues, post clarifying comments |
| Pull requests | Read + Write | Open PRs with implementation, post run summaries |
| Contents | Read + Write | Read your code, write implementation branches |
| Actions | Read | Read CI status to determine merge eligibility |
| Checks | Read | Read check run results (lint, type check, tests) |
| Metadata | Read | Repo name, description, default branch |
Codowave does not request:
- Admin permissions
- Org-level access beyond the repos you explicitly authorize
- Access to other services (AWS, Slack, Jira) unless you set up integrations
You choose which repos to grant access to during the GitHub App installation flow. Codowave only sees those repos.
What Codowave Does With Your Code
When Codowave runs on an issue, it:
- Clones your repo into an isolated, ephemeral container
- Reads files relevant to the issue (based on Planner's codebase search)
- Writes code in that container
- Runs your CI test suite inside the container
- Pushes a branch to your repo
- Opens a PR
- Destroys the container when the run completes
Your code is processed in the container for the duration of the run (typically 15-45 minutes) and then the container is destroyed. Codowave does not retain a persistent copy of your codebase between runs.
What Codowave does retain:
- Pattern memory — a structured representation of your repo's conventions (naming patterns, file organization, test structure). This is not your raw code — it's a learned model derived from your code.
- Run logs — logs of each agent run (what the Planner decided, what the Coder changed, what the Reviewer flagged). These are retained for replay and audit purposes.
Data Storage and Security
Where your code is processed: Codowave's cloud infrastructure (AWS, US-based by default). For Enterprise customers, on-prem deployment is available — your code never leaves your infrastructure.
Encryption: Code data is encrypted in transit (TLS) and at rest (AES-256).
Isolation between customers: Each run executes in a separate container. Container networking is restricted — your run cannot access other customers' containers or data.
Run logs: Stored and accessible only to users in your Codowave organization. Not shared with other customers or used to train models.
Enterprise: Code Never Leaves Your Infrastructure
For organizations with strict data residency requirements, Codowave's Enterprise plan offers on-premises deployment. In this configuration:
- Codowave's agent software runs inside your infrastructure (Docker/Kubernetes)
- Your code is cloned into containers running in your environment
- Nothing is sent to Codowave's cloud except run status and billing events
- You manage the compute; we provide the container images and deployment guide
Contact us at enterprise@codowave.com for on-prem details.
GitHub App vs. Personal Access Token: Why It Matters
Some older tools (and DIY setups) use personal access tokens (PATs) for GitHub access. PATs have a major security downside: they carry the full permissions of the user who created them, and they can't be scoped to specific repos.
Codowave uses the GitHub App model specifically because:
- Permissions are explicit and repo-scoped (you see exactly what's requested)
- You can revoke access per-repo without affecting other repos
- The app operates under its own identity, not under a user's identity
- GitHub logs all app activity separately from user activity
You can review and revoke Codowave's GitHub App access at any time from GitHub's "Installed GitHub Apps" settings page.