Generate compliance audit evidence
Every LGTM review is a timestamped, immutable audit log entry. Export per-repo or per-quarter as JSON or CSV for SOC2, ISO 27001, or DPDP evidence.
Auditor asks: 'show me evidence of code review for every production change'. Manually compiling this from GitHub PRs takes days. LGTM's audit log provides it in one click.
What's in the audit log
Every review LGTM runs produces a log entry with: timestamp (ISO 8601 UTC), repo + PR number + commit SHA, review verdict (APPROVE / REQUEST_CHANGES / COMMENT), findings count by severity, models used per agent, BYOK provider used, total tokens consumed, human reviewer disposition (was the review accepted, dismissed, overridden).
Immutability: log entries are append-only in MongoDB with a separate write-only API. Even LGTM staff can't modify a past entry; the auditor can verify this by reading the schema + cross-checking against GitHub's PR history.
Retention: 7 years for Pro plan accounts, indefinite for Enterprise. Free plan retains 90 days (sufficient for quarterly audits, not for compliance frameworks requiring multi-year retention).
What compliance frameworks ask for
SOC2 Type II — Control CC7.1 ('logical and physical access') and CC6.1 ('logical access') require evidence that changes to production code go through review. The LGTM audit log shows: every PR was reviewed (AI verdict), severity of findings, whether the merge was gated.
ISO 27001 Annex A.14.2.2 ('System change control procedures') requires controlled change management. LGTM's audit log provides the 'controlled' part: every change has a documented review trail.
PCI-DSS 6.4 ('Change control processes') — same as ISO 27001's clause. LGTM evidence satisfies the review-trail requirement; you still need separate evidence for the change-approval part (CODEOWNERS / human approval).
DPDP Act 2023 Section 24 ('reasonable security safeguards') — requires evidence that the data fiduciary takes reasonable steps to protect personal data. Demonstrating code review for changes affecting personal-data handling code is supporting evidence.
Export formats
JSON export: full structured log, per-review. Includes all fields above + the raw finding list. Suitable for piping into your SIEM / compliance tool / data warehouse.
CSV export: one row per review. Useful for spreadsheet-driven auditors. Columns: timestamp, repo, PR, verdict, findings_count, blocker_count, model, token_count.
Date range + repo filter on export. Pull 'all Q3 2026 reviews on auth-service repo' as one export — auditor's request fulfilled in 10 seconds.
Cross-referencing with GitHub PR history
LGTM's audit entries link to GitHub PR URLs. An auditor can pick any entry, click through to the actual GitHub PR, verify the review comment + commit history matches.
Inverse direction: from GitHub, the LGTM Check Run includes a link back to LGTM's audit-log entry for that review.
For compliance teams: this round-trip means the LGTM log is verifiable against external evidence (GitHub PRs), not just self-attesting. Strengthens the audit story significantly.
Configuration examples
{
"id": "rev_abc123",
"timestamp": "2026-09-15T13:47:22.341Z",
"repo": "myorg/auth-service",
"pr_number": 1247,
"commit_sha": "8e5e7e5d6b48f1abe9d11d162cffe11abe611ac5",
"verdict": "REQUEST_CHANGES",
"findings": {
"blocker": 1,
"critical": 0,
"high": 3,
"medium": 5,
"low": 2
},
"agents": {
"bugs": { "model": "gpt-5.4", "tokens": 4_127 },
"security": { "model": "claude-opus-4.7", "tokens": 5_220 },
"performance": { "model": "gpt-5.4-mini", "tokens": 1_840 },
"readability": { "model": "claude-haiku-4.5", "tokens": 1_120 },
"best_practices": { "model": "gpt-5.4-mini", "tokens": 1_950 },
"documentation": { "model": "claude-haiku-4.5", "tokens": 980 }
},
"providers_used": ["openai", "anthropic"],
"github_url": "https://github.com/myorg/auth-service/pull/1247",
"human_disposition": "addressed"
}See plans + audit-log retention
Free 90 days · Pro 7 years · CSV/JSON export · GitHub cross-link
Go to the product pageFAQs
Is the audit log admissible as compliance evidence?
Auditors generally accept third-party SaaS audit logs as supporting evidence (not standalone). Combine LGTM's log with GitHub's PR history + your internal change-management records for a complete picture. Most SOC2 / ISO 27001 auditors are satisfied with this combination.
Can I customize the log fields?
Standard schema is fixed (auditor-trusted). Custom metadata: yes — attach tags via the LGTM API on review completion (e.g., 'change_ticket: JIRA-1234'). Tags appear in export.
What about deleted PRs or force-pushed commit SHAs?
Audit entries persist independently of GitHub state. If a PR is deleted on GitHub, LGTM's entry stays. The GitHub URL becomes a 404 but the entry includes the commit SHA + diff hash so the artifact is still identifiable.
How do I prove the log wasn't tampered with?
Daily SHA-256 hash of the previous day's log entries gets logged separately + published to a public location (currently planned: GitHub repo). Auditors can verify the hash chain against the current log to confirm no past-day modifications.
Free plan vs Pro retention?
Free: 90 days. Pro: 7 years. Enterprise: indefinite. Choose based on your compliance framework's retention requirement (most are 2-7 years).
Related across LGTM
Related use cases
Use LGTM as a CI gate
Configure LGTM's review verdict as a required Check Run in branch protection. A failed review blocks the merge until findings are resolved — automated quality gate, no human bottleneck.
Roll out LGTM across many repos
Install LGTM org-wide once, then enroll specific repos progressively. Per-repo config inherits from org defaults. Multi-repo rollout in days, not months.
Onboard a monorepo to AI code review
Connect a 1k–100k-file monorepo to LGTM in under 10 minutes. Tree-sitter indexes all 12 languages, PageRank ranks cross-package context, BYOK keeps per-PR cost manageable.