Contributors (/app/contributors) shows every GitHub user with activity on your connected repositories. Each profile combines legal coverage (CLA) and security signals (trust) so you do not need separate tools for the same person.

Contributor table

Columns typically include:

• GitHub login and profile link
• CLA status — signed, missing, or corporate coverage for the active template version
• Trust score — aggregate signal from contributor trust checks
• Latest pull request — recent PR activity on your repos

Select a contributor to open /app/contributors/[login] for detail history.

Contributor trust

Trust signals come from the Superagent Security app and include indicators such as:

• Identity and account signals
• Contribution origin patterns
• PR spray or bulk contribution behavior
• Other risk flags surfaced on pull requests

Trust appears on contributor profiles and on the Pull requests page per PR. Per-repo tuning is on the repository detail page.

CLA signatures

CLA data comes from the Open CLA app:

Personal signatures

An individual contributor signs a specific agreement template version. The signature hash must match the version assigned to the repository.

Corporate agreements

An organization owner signs on behalf of a GitHub org. Active org members may be covered without a personal signature when the Open CLA app has organization membership read access.

What to monitor

• New contributors on high-traffic repos without signatures
• Failed CLA checks on open pull requests
• Low trust scores on PRs touching sensitive paths
• Re-sign campaigns after you publish a new agreement template version

Signing flow

Contributors usually follow a link from a failed CLA check to authenticate with GitHub and complete signing in the hosted flow. After signing, they push a new commit or re-run checks so the PR updates.

For Dropbox Sign repositories, Superagent sends a signature request email; completion is recorded via the Dropbox Sign callback configured for that repo.

Legacy paths

• /app/governance/contributors → Contributors
• /app/protection/contributor-trust → trust data now on Contributors and Pull requests

Next steps

• Agreements
• How CLA checks work
• Pull requests