> For the complete documentation index, see [llms.txt](https://docs.arnica.io/arnica-documentation/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.arnica.io/arnica-documentation/getting-started/scm-integrations/github/github-app-permissions.md).

# Github App Permissions

## Overview <a href="#h_d886b6d9fd" id="h_d886b6d9fd"></a>

Arnica is installed as a [GitHub App](https://github.com/marketplace/arnica-software-supply-chain-security) with the minimum permissions required to operate its full functionality. This article explains why each permission is required.

## Permissions Breakdown <a href="#h_a0dddf187f" id="h_a0dddf187f"></a>

GitHub allows applications to request 3 types of permissions: Organization, Repository and Account.

### Organization permissions <a href="#h_96ec3c84fd" id="h_96ec3c84fd"></a>

The following read-only organization permissions are used for the enrichment of Arnica's behavioral analysis:

* Administration: view access to an organization.
* Blocking users: view users blocked by the organization.
* Plan: view organization's plan.
* Projects: view organization's projects.
* Self-hosted runners: view the self-hosted runners available to an organization.
* Team discussions: view team discussions and related comments.
* Webhooks: view the post-receive hooks for an organization.

Arnica requires a read and write permission for Members (organization members and teams) in order to remove [stale users](https://docs.arnica.io/arnica-documentation/git-posture/hardening/what-are-stale-users) and create [Arnica-managed Teams in certain permission mitigations](https://docs.arnica.io/arnica-documentation/git-posture/mitigations/github-permissions-mitigations). Deprecation notice: this functionality will be removed when all Arnica's tenants are migrated.

### Repository permissions <a href="#h_bee16fdfa4" id="h_bee16fdfa4"></a>

The following read-only repository permissions are used for the enrichment of Arnica's behavioral analysis:

* Actions: view workflows, workflow runs and artifacts.
* Checks: view checks associated to the repository.
* Code scanning alerts: view code scanning alerts.
* Commit statuses: view and compare the status of each commit.
* Dependabot alerts: retrieve Dependabot alerts.
* Deployments: view deployments and their statuses.
* Discussions: view discussions and related comments.
* Environments: view repository environments.
* Issues: issues and related comments, assignees, labels, and milestones.
* Metadata: search repositories, list collaborators, and access repository metadata.
* Packages: view packages published to the GitHub Package Platform.
* Pages: retrieve Pages statuses, configuration and builds.
* Projects: view classic projects within the repository.
* Secret scanning alerts: view alerts related to secrets scanning.
* Webhooks: view post-receive hooks for the repository.

Each read and write permission is associated to the mitigations Arnica performs:

* Administration: The [automated permission provisioning](https://docs.arnica.io/arnica-documentation/git-posture/self-service-and-automation/automated-permission-provisioning) feature requires this permission in order to manage permissions to the repository. Deprecation notice: this functionality will be removed when all Arnica's tenants are migrated.
* Contents: Arnica's operator can [create a Pull Request when CODEOWNERS files are created or modified](https://docs.arnica.io/arnica-documentation/git-posture/mitigations/github-permissions-mitigations), which requires access to the source code. Additionally, Arnica's [hardcoded secrets mitigation](https://docs.arnica.io/arnica-documentation/hardcoded-secrets/secret-detection) feature, which is configured to notify only by default, can create a branch of the mitigated secret and offer it to the developer through the integrated communication channel.
* Pull Requests: view, create and add comments to pull requests. This functionality complements the Contents permission.
* Workflows: update GitHub action workflow files via pull request.

### Account permissions <a href="#h_157aaf170c" id="h_157aaf170c"></a>

The following ready only account permissions are used for authenticating the users via GitHub:

* Email addresses: view Arnica operator's email address


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.arnica.io/arnica-documentation/getting-started/scm-integrations/github/github-app-permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.