Permissions

When you start using DeepSource, you will need to explicitly grant DeepSource permission through your source code hosting provider to checkout your public and private repositories. To perform analysis, we checkout your code from supported source code hosting providers.

DeepSource does not store your source code. As soon as the analysis transaction is complete, the source code is purged from our infrastructure and is not backed up. The following are the permissions we would require:

📘

The "Act on your behalf" permission alert gets triggered because we require an OAuth token from your source control provider. We only use your OAuth token to validate your identity.

GitHub

OAuth

  • read:user - Grants read access to a user's profile data.

  • user:email - Grants read access to a user's email addresses.

Scope: https://docs.github.com/en/developers/apps/scopes-for-oauth-apps#available-scopes

GitHub app

  • Write access to files located at .deepsource.toml.

  • Read access to administration, code, deployments, members, metadata, organization hooks, and repository hooks.

  • Read and write access to checks, commit statuses, and pull requests. (Pull requests and related comments, assignees, labels, milestones, and merges)

Application page: https://github.com/apps/deepsource-io

GitHub Marketplace: https://github.com/marketplace/deepsource-io

Autofix app

  • Read access to metadata (Search repositories, list collaborators, and access repository metadata).

  • Read and write access to code and pull requests (Pull requests and related comments, assignees, labels, milestones, and merges. Access: Read & write)

Note: DeepSource will either raise a pull request or commit to a pull request with existing changes. The app will not make any code changes to the default branch of the repository.

Reference: https://github.com/apps/deepsource-autofix

GitLab

OAuth

  • api - Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry.

  • read_user - Grants read-only access to the authenticated user’s profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under / users.

  • read_repository - Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry.

Reference: https://docs.gitlab.com/ee/integration/oauth_provider.html#authorized-applications

Azure DevOps Services

OAuth

  • vso.code_write - Grants the ability to read, update, and delete source code, access metadata about commits, changesets, branches, and other version control artifacts. Also grants the ability to create and manage pull requests and code reviews and to receive notifications about version control events via service hooks.

  • vso.code_status - Grants the ability to read and write commit and pull request status.

  • vso.project - Grants the ability to read projects and teams.

Reference: https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops#scopes

Bitbucket

OAuth

  • Read-only access to the user's account information. Note that this does not include any ability to mutate any of the data. The account information includes:
    • See all email addresses
    • Language
    • Location
    • Website
    • Full name
    • SSH keys
    • User groups

Scope: account.

Reference: https://developer.atlassian.com/cloud/bitbucket/bitbucket-cloud-rest-api-scopes/

Bitbucket add-on

  • Read-only access to the user's account information. Note that this does not include any ability to mutate any of the data. Scope: account.

  • Read access to pull requests and collaborate on them. This scope implies repository, giving read access to the pull request's destination repository. Scope: pullrequest.

  • Ability to interact with issue trackers the way non-repository members can. This scope does not imply any other scopes and does not give implicit access to the repository the issue is attached to. Scope: issue.

Reference: https://developer.atlassian.com/cloud/bitbucket/bitbucket-cloud-rest-api-scopes/

Atlassian Marketplace: https://marketplace.atlassian.com/apps/1222731/deepsource

Autofix add-on

  • Read-only access to the user's account information. Note that this does not include any ability to mutate any of the data. Scope: account.

  • Ability to create, merge, and decline pull requests. This scope implies repository:write permissions, giving write access to the pull request's destination repository. This is necessary to facilitate merging. Scope: pullrequest:write.

  • Gives the app admin access to all the repositories the authorizing user has access to. No distinction is made between public or private repositories. This scope does not imply repository or repository:write permissions. It gives access to only the admin features of a repository, not direct access to its contents. Of course, this can be (mis)used to grant read access to another user account who can then clone the repository, but apps that need to read or write source code would also request explicit read or write permissions for the concerned repository. Scope: repository:admin.

🚧

Note that the repository:admin scope is required to check the possibility of a commit. For this purpose, we use the branch restrictions API which requires this scope to function.

Reference: https://developer.atlassian.com/cloud/bitbucket/bitbucket-cloud-rest-api-scopes/

Atlassian Marketplace: https://marketplace.atlassian.com/apps/1223705/deepsource-autofix