[Security] - GitHub App Permissions #8
Labels
enhancement
New feature or request
Comments
|
GitHub has GitHub Apps and OAuth Apps (see here for more information on the differences: https://docs.github.com/en/developers/apps/getting-started-with-apps/differences-between-github-apps-and-oauth-apps). From what I can tell, Sidekick is currently using an OAuth App, which means it can't be scoped to a specific organization or repository. I would recommend moving to a GitHub App, which can be scoped and audited on an organization. |
|
@probably-not thank you for this issue. we will be fixing it in the upcoming sprint, which starts next week |
|
As promised we have replaced our OAuth App with a GitHub App. Now our Sidekick SaaS asks for fewer permissions and can be scoped and audited on an organization as you have mentioned. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, Sidekick is requesting Full Permissions for read and write to all private and public repositories, and on top of that, is requesting Full Permissions for read and write to all personal information.
This is a hard no in terms of security, and under no circumstances should Sidekick have full read and write permissions on Personal information data.
In addition to the issue of requesting full permissions to personal information, it's a major security issue to request write permissions on all public and private repositories, especially when this can't be scoped to a specific repository under a specific organization.
The text was updated successfully, but these errors were encountered: