Github App Permissions
GitHub allows applications to request 3 types of permissions: Organization, Repository and Account.
The following ready only organization permissions are used for the enrichment of Arnica's behavioral analysis:
- Administration: view access to an organization.
- Blocking users: view users blocked by the organization.
- Plan: view organization's plan.
- Projects: view organization's projects.
- Self-hosted runners: view the self-hosted runners available to an organization.
- Team discussions: view team discussions and related comments.
- Webhooks: view the post-receive hooks for an organization.
The following ready only repository permissions are used for the enrichment of Arnica's behavioral analysis:
- Actions: view workflows, workflow runs and artifacts.
- Checks: view checks associated to the repository.
- Code scanning alerts: view code scanning alerts.
- Commit statuses: view and compare the status of each commit.
- Dependabot alerts: retrieve Dependabot alerts.
- Deployments: view deployments and their statuses.
- Discussions: view discussions and related comments.
- Environments: view repository environments.
- Issues: issues and related comments, assignees, labels, and milestones.
- Metadata: search repositories, list collaborators, and access repository metadata.
- Packages: view packages published to the GitHub Package Platform.
- Pages: retrieve Pages statuses, configuration and builds.
- Projects: view classic projects within the repository.
- Secret scanning alerts: view alerts related to secrets scanning.
- Webhooks: view post-recieve hooks for the repository.
Each read and write permission is associated to the mitigations Arnica performs:
- Contents: Arnica's operator can create a Pull Request when CODEOWNERS files are created or modified, which requires access to the source code. Additionally, Arnica's hardcoded secrets mitigation feature, which is configured to notify only by default, can create a branch of the mitigated secret and offer it to the developer through the integrated communication channel.
- Pull Requests: view, create and add comments to pull requests. This functionality complements the Contents permission.
- Workflows: update GitHub action workflow files via pull request.
The following ready only account permissions are used for authenticating the users via GitHub:
- Email addresses: view Arnica operator's email address