Hound keep asking write permission to all data of public repositories (security/dangerous) #925
Comments
|
It's not possible at the moment to ask for repo read-only permissions. If an app wants to access to a repo data it has to ask for |
|
@arol does any of the following strategy may works? |
|
I think it could. Giving hound a deploy key and setting up a webhook manually may work, but I don't if hound will be able to comment. Inviting a hound's official user on github giving him read-only permissions on specific repo is an interesting approach as well, but a lot of people may be inviting fake users. I prefer the automatic way. I think that doing it that way you're killing the simplicity of Hound. Being an open-source project, I think is better for you to host your own hosted fork, but I don't know if it's possible in terms of license. |
|
As mentioned, we are restricted on this by GitHub. Until they support finer grained scopes, we continue asking for "read and write" permissions. |
|
GitHub suggests moving to GitHub Apps, which do allow per repo specific permissions. However, it's quite a large migration, so we'll be introducing this soon for new users, with an option to upgrade for existing users. |
|
@gylaz Thanks - do you have a link to more details on that suggestion? |
|
This describes the difference between the two types of apps, and talks about what the new GitHub apps are good at. |
This ticket is to improve the security of Hound, so that it can work without asking write permission to all data of public repositories, that's a dangerous practice.
I was trying to add it to GlobaLeaks, but it keep asking privileges to write to the GlobaLeaks repository, that's a security risks that we cannot afford, because only authorized developer can have write accesso the code.
Example of the inquiry of write permission reported below:
The text was updated successfully, but these errors were encountered: