Skip to content

Instantly share code, notes, and snippets.

@fabiodbr

fabiodbr/github-third-party-integration-oauth-scope-risk-impacts.md

Forked from gene1wood/github-third-party-integration-oauth-scope-risk-impacts.md
Created November 17, 2020 20:22
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save fabiodbr/ffa90a7c7d4f0e5fcd359998ffa2e121 to your computer and use it in GitHub Desktop.
Save fabiodbr/ffa90a7c7d4f0e5fcd359998ffa2e121 to your computer and use it in GitHub Desktop.
Download ZIP
Analysis of the GitHub OAuth scopes granted to third party integrations and the areas of impact that they affect in the Mozilla Risk Management Model
Raw
github-third-party-integration-oauth-scope-risk-impacts.md
Scope Description User repo:read User repo:write User repo:admin
(no scope) Access public information (read-only)
user Update all user data
user:email Access user email addresses (read-only)
user:follow Follow and unfollow users
public_repo Access public repositories I I
repo Full control of private repositories C CI CI
repo_deployment Access deployment status
repo:status Access commit status
repo:invite Access repository invitations
delete_repo Delete repositories A
notifications Access notifications
gist Create gists
read:repo_hook Read repository hooks
write:repo_hook Write repository hooks C
admin:repo_hook Full control of repository hooks C
admin:org_hook Full control of organization hooks C
read:org Read org and team membership
write:org Read and write org and team membership
admin:org Full control of orgs and teams CIA CIA CIA
read:public_key Read user public keys
write:public_key Write user public keys C CI CI
admin:public_key Full control of user public keys C CI CI
read:gpg_key Read user gpg keys
write:gpg_key Write user gpg keys
admin:gpg_key Full control of user gpg keys

Legend

  • C : Confidentiality impact
  • I : Integrity impact
  • A : Availability impact

Scopes and their areas of impact

public_repo : Integrity

This scope grants the ability to change code in a public repo

repo : Confidentiality, Integrity

This scope grants the ability to

  • change code and issues in a repo
  • read code and issues in private repos

delete_repo : Availability

This scope grants the ability to delete repos which could affect availability

write:repo_hook : Confidentiality

This scope grants the ability to read content in private repos on newly created

  • issues
  • issue comments
  • commit comments
  • pull request titles and bodies
  • pushed commit messages
  • pull request reviews

admin:repo_hook : Confidentiality

See write:repo_hook

admin:org_hook : Confidentiality

See write:repo_hook

admin:org : Confidentiality, Integrity, Availability

This scope grants the ability to

  • change code and issues in a repo affecting integrity
  • read code and issues in private repos affecting confidentiality
  • delete repos affecting availability

write:public_key : Confidentiality, Integrity

This scope grants the ability to create a new public key for a user, granting the controller of the associated private key the ability to

  • change code in a repo affecting integrity
  • read code in private repos affecting confidentiality

admin:public_key : Confidentiality, Integrity

See write:public_key

Links

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment