Organizations & Private Rulesets
Pro and Enterprise subscribers can create organizations — teams that share a set of private rulesets visible only to members. Private rulesets are never indexed in public Hub search and never returned to non-members.
Quick start
# 1. Create your org (Pro/Enterprise required)
ssg orgs create my-team --name "My Team"
# 2. Invite teammates
ssg orgs invite my-team alice --role=member
ssg orgs invite my-team bob --role=admin
# 3. Push a private ruleset
ssg push --private --org my-team --name company-policies
# 4. Pull on another machine (must be a member)
ssg hub pull company-policies
Prerequisites
- Active Pro ($60/mo) or Enterprise subscription — see sigmashake.com/pricing
ssg auth login— authenticate with GitHub (reposcope required for private repos)
Creating an organization
ssg orgs create <slug> [--name=<display-name>] [--domain=<domain>]
- slug — URL-safe identifier, 2–40 lowercase alphanumeric + hyphens (e.g.
acme-corp). Cannot be changed after creation. - name — display name shown in the hub UI (e.g.
Acme Corp). - domain — optional email domain for future SSO auto-join (e.g.
acme.com).
ssg orgs create acme-corp --name "Acme Corp" --domain acme.com
# ✅ Organization created
# Slug: acme-corp
# Name: Acme Corp
# ID: <uuid>
Managing members
List members
ssg orgs members <slug>
Invite a member
ssg orgs invite <slug> <github-login> [--role=viewer|member|admin]
| Role | Can pull private rulesets | Can push private rulesets | Can invite members | Can manage org |
|---|---|---|---|---|
| viewer | ✓ | — | — | — |
| member | ✓ | ✓ | — | — |
| admin | ✓ | ✓ | ✓ | — |
| owner | ✓ | ✓ | ✓ | ✓ |
Remove a member
ssg orgs remove <slug> <github-login>
Listing your organizations
ssg orgs list
Output:
Organizations (2):
Acme Corp (acme-corp)
Role: owner Tier: pro
URL: https://hub.sigmashake.com/orgs/acme-corp
API: ssg orgs rulesets acme-corp
Platform Team (platform-team)
Role: member Tier: enterprise
URL: https://hub.sigmashake.com/orgs/platform-team
API: ssg orgs rulesets platform-team
You can also browse your organizations in the hub UI at hub.sigmashake.com/me/orgs.
Publishing private rulesets
ssg push --private --org <slug> --name <ruleset-name>
--private— marks the ruleset asvisibility=org(never public)--org— slug of the owning organization (you must be a member or admin)--name— stable ruleset name used as the hub ID (<slug>/<name>)
cd your-project
ssg push --private --org acme-corp --name ai-security-policies
# 🔒 Publishing private ruleset: acme-corp/ai-security-policies
# ✓ Pushed 12 rules
# URL: https://hub.sigmashake.com/ruleset/acme-corp/ai-security-policies
Installing private rulesets
Any org member can install a private ruleset:
ssg hub pull <ruleset-id>
The hub verifies your session is an active org member before returning the ruleset. Non-members receive a 404 (no information leakage about the ruleset's existence).
Browsing private rulesets
CLI
ssg orgs rulesets <slug>
Lists all rulesets in the org (public and private).
Hub UI
Members can browse at https://hub.sigmashake.com/orgs/<slug> after signing in. The page shows all org rulesets with CLI copy buttons.
Audit log
All org management actions (invite, remove, role change, visibility change, export) are recorded in the audit log:
ssg orgs audit <slug> [--limit=100]
Data export
Org owners can request a data export at any time (rate-limited to once per day):
ssg orgs export <slug>
# Returns a signed download URL valid for 30 days (per Private Terms)
The export includes member list and ruleset metadata. Rule bodies are not included in the export payload.
Security model
- Private rulesets (
visibility=org) are excluded from all public API endpoints —/api/rulesets,/api/search, and/ruleset/:idall return 404 to non-members. - Rule bodies are never returned unless the requester is an active member.
- Org membership is checked on every pull request — revoking access takes effect immediately.
- All role changes and visibility changes are recorded in the audit log.
- Org data is retained for 30 days after deletion per our Private Terms.
Comparison: org-private vs own private GitHub repo
| Feature | ssg push --private --org | ssg install <github-url> |
|---|---|---|
| Hub search & discovery | ✓ (org members only) | — |
| Versioned via hub | ✓ | — |
| Audit log | ✓ | — |
| Works with private GitHub repos | — | ✓ |
| Works without hub account | — | ✓ |
| Best for | teams sharing policies | individual dev or simple CI |
See Installing from a private GitHub repo for the ssg install approach.