Github App Permissions
Last updated
Was this helpful?
Last updated
Was this helpful?
Arnica is installed as a with the minimum permissions required to operate its full functionality. This article explains why each permission is required.
GitHub allows applications to request 3 types of permissions: Organization, Repository and Account.
The following read-only organization permissions are used for the enrichment of Arnica's behavioral analysis:
Administration: view access to an organization.
Blocking users: view users blocked by the organization.
Plan: view organization's plan.
Projects: view organization's projects.
Self-hosted runners: view the self-hosted runners available to an organization.
Team discussions: view team discussions and related comments.
Webhooks: view the post-receive hooks for an organization.
Arnica requires a read and write permission for Members (organization members and teams) in order to remove and create .
The following read-only repository permissions are used for the enrichment of Arnica's behavioral analysis:
Actions: view workflows, workflow runs and artifacts.
Checks: view checks associated to the repository.
Code scanning alerts: view code scanning alerts.
Commit statuses: view and compare the status of each commit.
Dependabot alerts: retrieve Dependabot alerts.
Deployments: view deployments and their statuses.
Discussions: view discussions and related comments.
Environments: view repository environments.
Issues: issues and related comments, assignees, labels, and milestones.
Metadata: search repositories, list collaborators, and access repository metadata.
Packages: view packages published to the GitHub Package Platform.
Pages: retrieve Pages statuses, configuration and builds.
Projects: view classic projects within the repository.
Secret scanning alerts: view alerts related to secrets scanning.
Webhooks: view post-receive hooks for the repository.
Each read and write permission is associated to the mitigations Arnica performs:
Pull Requests: view, create and add comments to pull requests. This functionality complements the Contents permission.
Workflows: update GitHub action workflow files via pull request.
The following ready only account permissions are used for authenticating the users via GitHub:
Email addresses: view Arnica operator's email address
Administration: The feature requires this permission in order to manage permissions to the repository.
Contents: Arnica's operator can , which requires access to the source code. Additionally, Arnica's feature, which is configured to notify only by default, can create a branch of the mitigated secret and offer it to the developer through the integrated communication channel.