# Github App Permissions

## Overview <a href="#h_d886b6d9fd" id="h_d886b6d9fd"></a>

Arnica is installed as a [GitHub App](https://github.com/marketplace/arnica-software-supply-chain-security) with the minimum permissions required to operate its full functionality. This article explains why each permission is required.

## Permissions Breakdown <a href="#h_a0dddf187f" id="h_a0dddf187f"></a>

GitHub allows applications to request 3 types of permissions: Organization, Repository and Account.

### Organization permissions <a href="#h_96ec3c84fd" id="h_96ec3c84fd"></a>

The following read-only organization permissions are used for the enrichment of Arnica's behavioral analysis:

* Administration: view access to an organization.
* Blocking users: view users blocked by the organization.
* Plan: view organization's plan.
* Projects: view organization's projects.
* Self-hosted runners: view the self-hosted runners available to an organization.
* Team discussions: view team discussions and related comments.
* Webhooks: view the post-receive hooks for an organization.

Arnica requires a read and write permission for Members (organization members and teams) in order to remove [stale users](https://docs.arnica.io/arnica-documentation/git-posture/hardening/what-are-stale-users) and create [Arnica-managed Teams in certain permission mitigations](https://docs.arnica.io/arnica-documentation/git-posture/mitigations/github-permissions-mitigations). Deprecation notice: this functionality will be removed when all Arnica's tenants are migrated.

### Repository permissions <a href="#h_bee16fdfa4" id="h_bee16fdfa4"></a>

The following read-only repository permissions are used for the enrichment of Arnica's behavioral analysis:

* Actions: view workflows, workflow runs and artifacts.
* Checks: view checks associated to the repository.
* Code scanning alerts: view code scanning alerts.
* Commit statuses: view and compare the status of each commit.
* Dependabot alerts: retrieve Dependabot alerts.
* Deployments: view deployments and their statuses.
* Discussions: view discussions and related comments.
* Environments: view repository environments.
* Issues: issues and related comments, assignees, labels, and milestones.
* Metadata: search repositories, list collaborators, and access repository metadata.
* Packages: view packages published to the GitHub Package Platform.
* Pages: retrieve Pages statuses, configuration and builds.
* Projects: view classic projects within the repository.
* Secret scanning alerts: view alerts related to secrets scanning.
* Webhooks: view post-receive hooks for the repository.

Each read and write permission is associated to the mitigations Arnica performs:

* Administration: The [automated permission provisioning](https://docs.arnica.io/arnica-documentation/git-posture/self-service-and-automation/automated-permission-provisioning) feature requires this permission in order to manage permissions to the repository. Deprecation notice: this functionality will be removed when all Arnica's tenants are migrated.
* Contents: Arnica's operator can [create a Pull Request when CODEOWNERS files are created or modified](https://docs.arnica.io/arnica-documentation/git-posture/mitigations/github-permissions-mitigations), which requires access to the source code. Additionally, Arnica's [hardcoded secrets mitigation](https://docs.arnica.io/arnica-documentation/hardcoded-secrets/secret-detection) feature, which is configured to notify only by default, can create a branch of the mitigated secret and offer it to the developer through the integrated communication channel.
* Pull Requests: view, create and add comments to pull requests. This functionality complements the Contents permission.
* Workflows: update GitHub action workflow files via pull request.

### Account permissions <a href="#h_157aaf170c" id="h_157aaf170c"></a>

The following ready only account permissions are used for authenticating the users via GitHub:

* Email addresses: view Arnica operator's email address