Github App Permissions

Overview

Arnica is installed as a GitHub App with the minimum permissions required to operate its full functionality. This article explains why each permission is required.

Permissions Breakdown

GitHub allows applications to request 3 types of permissions: Organization, Repository and Account.

Organization permissions

The following read-only organization permissions are used for the enrichment of Arnica's behavioral analysis:

• Administration: view access to an organization.

• Blocking users: view users blocked by the organization.

• Plan: view organization's plan.

• Projects: view organization's projects.

• Self-hosted runners: view the self-hosted runners available to an organization.

• Team discussions: view team discussions and related comments.

• Webhooks: view the post-receive hooks for an organization.

Arnica requires a read and write permission for Members (organization members and teams) in order to remove stale users and create Arnica-managed Teams in certain permission mitigations. Deprecation notice: this functionality will be removed when all Arnica's tenants are migrated.

Repository permissions

The following read-only repository permissions are used for the enrichment of Arnica's behavioral analysis:

• Actions: view workflows, workflow runs and artifacts.

• Checks: view checks associated to the repository.

• Code scanning alerts: view code scanning alerts.

• Commit statuses: view and compare the status of each commit.

• Dependabot alerts: retrieve Dependabot alerts.

• Deployments: view deployments and their statuses.

• Discussions: view discussions and related comments.

• Environments: view repository environments.

• Issues: issues and related comments, assignees, labels, and milestones.

• Metadata: search repositories, list collaborators, and access repository metadata.

• Packages: view packages published to the GitHub Package Platform.

• Pages: retrieve Pages statuses, configuration and builds.

• Projects: view classic projects within the repository.

• Secret scanning alerts: view alerts related to secrets scanning.

• Webhooks: view post-receive hooks for the repository.

Each read and write permission is associated to the mitigations Arnica performs:

• Administration: The automated permission provisioning feature requires this permission in order to manage permissions to the repository. Deprecation notice: this functionality will be removed when all Arnica's tenants are migrated.

• Contents: Arnica's operator can create a Pull Request when CODEOWNERS files are created or modified, which requires access to the source code. Additionally, Arnica's hardcoded secrets mitigation feature, which is configured to notify only by default, can create a branch of the mitigated secret and offer it to the developer through the integrated communication channel.

• Pull Requests: view, create and add comments to pull requests. This functionality complements the Contents permission.

• Workflows: update GitHub action workflow files via pull request.

Account permissions

The following ready only account permissions are used for authenticating the users via GitHub:

• Email addresses: view Arnica operator's email address