Arnica Documentation
  • Introduction
  • Getting Started
    • 🔑Sign Up
    • ▶️SCM Integrations
      • Azure DevOps
      • Bitbucket Cloud
      • Bitbucket Server & Datacenter
      • Github
        • GitHub Audit Logs
        • Github App Permissions
      • Gitlab
    • 📤ChatOps
      • Microsoft Teams
      • Slack
        • Adding Arnica to a New Channel
        • Interacting With the Arnica Slackbot
    • 🎫Ticket Management
      • 🐛Jira Integration
      • 📋ADO Boards Integration
    • 🧠Artificial Intelligence
      • Azure OpenAI
      • OpenAI ChatGPT
    • 🏨On Premise Integrations
  • Inventory
    • 💼Identities, Repositories & Organizations
    • 📇Software Bill of Materials (SBOM)
    • 🦄Prioritization & Product Ownership
  • Hardcoded Secrets
    • 🕵️Secret Detection
    • ⏪Realtime Secret Mitigation
    • 🥕Secrets Policy Settings
  • Code Risks
    • 🎼Static Application Security Testing (SAST)
      • Custom SAST Rules
    • 🧩Software Composition Analysis (SCA)
    • 🔡3rd Party Package Licenses
      • Override License Classifications
    • 🤹3rd Party Package Reputation
      • Identifying Low Rep Packages
      • How to Find Alternative Packages
    • ⛅Infrastructure as Code Security (IaC)
    • 🤖Code Risk Policy Settings
      • Developer Feedback On Push
      • Require Review Before Dismissal
      • 0 New High Severity Vulnerabilities
      • Enforce Remediation SLA
    • 🪄Code Risk Magic Links
    • 📦Code Risk Language and Framework Support
  • Platform Operations
    • 🚪Joining an Existing Org
    • ❌Deleting a Tenant
    • 🫂How do I invite members to my tenant?
      • New User Invitations
    • 👥Users & Roles
    • 🔇Deleting Integrations
    • ⌛Scheduled Jobs
      • How often do Jobs run?
    • 💸Billing
  • Security
    • 🎮Role Based Access Control (RBAC)
    • 🛡️Data Handling
    • 🏛️SSO Integration
      • Okta Integration
      • Entra ID Integration
Powered by GitBook
On this page
  • Overview
  • Permissions Breakdown
  • Organization permissions
  • Repository permissions
  • Account permissions

Was this helpful?

  1. Getting Started
  2. SCM Integrations
  3. Github

Github App Permissions

PreviousGitHub Audit LogsNextGitlab

Last updated 26 days ago

Was this helpful?

Overview

Arnica is installed as a with the minimum permissions required to operate its full functionality. This article explains why each permission is required.

Permissions Breakdown

GitHub allows applications to request 3 types of permissions: Organization, Repository and Account.

Organization permissions

The following read-only organization permissions are used for the enrichment of Arnica's behavioral analysis:

  • Administration: view access to an organization.

  • Blocking users: view users blocked by the organization.

  • Plan: view organization's plan.

  • Projects: view organization's projects.

  • Self-hosted runners: view the self-hosted runners available to an organization.

  • Team discussions: view team discussions and related comments.

  • Webhooks: view the post-receive hooks for an organization.

Arnica requires a read and write permission for Members (organization members and teams) in order to remove and create . Deprecation notice: this functionality will be removed when all Arnica's tenants are migrated.

Repository permissions

The following read-only repository permissions are used for the enrichment of Arnica's behavioral analysis:

  • Actions: view workflows, workflow runs and artifacts.

  • Checks: view checks associated to the repository.

  • Code scanning alerts: view code scanning alerts.

  • Commit statuses: view and compare the status of each commit.

  • Dependabot alerts: retrieve Dependabot alerts.

  • Deployments: view deployments and their statuses.

  • Discussions: view discussions and related comments.

  • Environments: view repository environments.

  • Issues: issues and related comments, assignees, labels, and milestones.

  • Metadata: search repositories, list collaborators, and access repository metadata.

  • Packages: view packages published to the GitHub Package Platform.

  • Pages: retrieve Pages statuses, configuration and builds.

  • Projects: view classic projects within the repository.

  • Secret scanning alerts: view alerts related to secrets scanning.

  • Webhooks: view post-receive hooks for the repository.

Each read and write permission is associated to the mitigations Arnica performs:

  • Pull Requests: view, create and add comments to pull requests. This functionality complements the Contents permission.

  • Workflows: update GitHub action workflow files via pull request.

Account permissions

The following ready only account permissions are used for authenticating the users via GitHub:

  • Email addresses: view Arnica operator's email address

Administration: The feature requires this permission in order to manage permissions to the repository. Deprecation notice: this functionality will be removed when all Arnica's tenants are migrated.

Contents: Arnica's operator can , which requires access to the source code. Additionally, Arnica's feature, which is configured to notify only by default, can create a branch of the mitigated secret and offer it to the developer through the integrated communication channel.

▶️
GitHub App
stale users
Arnica-managed Teams in certain permission mitigations
automated permission provisioning
create a Pull Request when CODEOWNERS files are created or modified
hardcoded secrets mitigation