Requirements for listing an app on GitHub Marketplace

Apps on GitHub Marketplace must meet several requirements before they can be listed.

Note: Before your app can be listed on GitHub Marketplace you must read and accept the terms of the Marketplace Developer agreement. The agreement can be found within your listing management page on GitHub.

General requirements

  • OAuth Apps should have a minimum of 1000 users.
  • GitHub Apps should have a minimum of 250 installations.
  • Apps must be publicly available (neither in beta or invite-only) and purchasable through GitHub Marketplace.
  • Apps must follow GitHub's brand guidelines and GitHub Marketplace marketing requirements (specifically logo usage). For more information, see "Guidelines for creating a GitHub Marketplace listing."
  • Apps cannot actively persuade users away from GitHub.
  • Any marketing materials for the app must accurately represent the behavior of the app.
  • Apps must include links to user-facing documentation that describe how to set up and use the app.

Security requirements

  • Apps must allow network communications over the public internet using TLS-based HTTPS or SSH for Git.
  • Apps must agree to delete GitHub user data within 30 days upon valid request by the user or once the legal relationship with GitHub has ended.
  • Apps can't require the user to send their GitHub password to the partner.
  • You must complete GitHub's Marketplace Security Review process. For information on the review process, contact marketplace@github.com.

Disclosure requirements

  • You must provide GitHub with a written record of the authentication method and scope that's required.
  • You must confirm that you're not requesting more scopes or GitHub access than is needed for the app to perform its intended functionality, taking OAuth limitations and use of GitHub Apps into account.
  • You must disclose the use of any third-party services or infrastructure, such as SaaS, PaaS, or IaaS.
  • You must confirm that an incident response procedure exists.
  • You must attest to a method of key/token handling.
  • You must attest that you have a responsible disclosure policy and process in place or plans to implement one within six months.
  • You must attest that you have a vulnerability management workflow or program.
  • You must attest that you have logging and monitoring capabilities. You must also provide evidence that any relevant app logs are retained for at least 30 days and archived for at least one year.