GitHub App Permissions
What permissions does Socket for GitHub require?
Socket is designed to work without the need to analyze, upload, or share your source code.
-
The only data we collect from your repository is the
package.json
file and associated lockfiles such aspackage-lock.json
andyarn.lock
, which we call the dependency snapshot. -
We use the dependency snapshot to determine the list of packages used by your repository, perform our open source risk analysis, and produce a report.
To support mono-repos and projects which have multiple manifest files (e.g. package.json
) located in nested folders, e.g. foo/package.json
or bar/package.json
, Socket for GitHub requests read access to all code in the repository. We're currently working with GitHub to improve their permissions model so we can reduce the required permissions to just read access to a glob pattern like **/package.json
.
Updated about 2 months ago