Netskope Help

Permissions Required for GitHub

When you grant access to the GitHub app instance, Netskope seeks consent for the following permissions from the GitHub account:

Table 2. Permissions Required by Netskope for GitHub

Permissions required by Netskope

Description

Purpose

Trade-off if not allowed

organization_administration:read

Read organization configuration.

Retrieve organization configuration. The permission to retrieve configuration information for the organization that installed the app. Organization configurations play an important role when evaluating the security posture.

Certain rules of high severity will not be available and is likely to always fail, e.g. two factor required for all members in organization enabled. Customers can mute such rules if they choose to.

metadata:read

The metadata permission provides access to a collection of read-only endpoints with metadata for various resources. These endpoints do not leak sensitive private repository information.

Retrieve organization and repository metadata. The base permission for the GitHub app to retrieve metadata through API.

API access will not be possible. The entire asset fetching and evaluation process will fail for the organization.

secret_scanning_alerts:read

List secret scanning alerts.

Retrieve secret scanning alert configuration. Secret scanning alert is the built-in function GitHub implements to scan a private repository on whether secrets or passwords have been accidentally included into file contents. This permission allows Netskope to get the related configuration on the repositories under the organization and suggest accordingly.

Certain rules related to secret scanning that should be turned on may not be available and will always fail, e.g. secret scanning alert should be enabled for a repository. Customers can mute such rules if they choose to.

administration:read

List repositories and read their configuration.

List organization repositories. This permission allows Netskope to list repositories under the organization and fetch their metadata as well.

Repository asset will not be available and all the related rules will never be evaluated.

contents:read (shown as code)

Read file contents.

Search files matching certain names. This permission allows Netskope to access the content of the files including code. Netskope does not directly read the content but only utilize the search function which requires this permission provided by GitHub to ensure the presence of certain files.

Certain rules related to presence of important files to ensure the safety of a repository will not be available and always fail, e.g. gitignore file, license file, and codeowner file should be presented. Customers can mute such rules if they choose to.