GitHub app: Reduced permissions
under review
S
Sid Panjwani
Just had a friend share http://socket.dev with me and it looks awesome. We've been struggling to figure out a way to balance encouraging devs to move quickly and use open source vs. the security risks.
Was about to install your package onto our GH, but noticed it requested read access to all code. I'm reaching out because I'd assume it's not for malicious reasons :)
Any reason why the app needs read access to all the code in the repo rather than just the package/yarn files?
Feross Aboukhadijeh (Socket)
under review
We're currently working with GitHub to improve their permissions model so we can reduce the required permissions.
Feross Aboukhadijeh (Socket)
Thanks for reaching out! You totally understand the value prop of Socket. We want devs to move quickly and use open source but to understand the security risks and be aware of when something is too risky.
Socket is designed to work without the need to analyze, upload, or share your source code.
- The only data we collect from your repository is the package.jsonfile and associated lockfiles such aspackage-lock.jsonandyarn.lock, which we call the _dependency snapshot_.
- We use the dependency snapshot to determine the list of packages used by your repository, perform our open source risk analysis, and produce a report.
Some users have multiple
package.json
files located in nested folders, e.g. foo/package.json
or bar/package.json
. We would love to request read access to a glob pattern like **/package.json
but the GitHub permissions model is too limited. For that reason, the GitHub App requests read access to all code in the repository. We're currently working with GitHub to improve their permissions model so we can reduce the required permissions.Hopefully that makes sense, but let me know if you have more questions!