DeepSource does not store your source code. As soon as the analysis transaction is complete, the source code is purged from our infrastructure and is not backed up. The following are the permissions we would require:

​

GitHub

​

OAuth

• read:user - Grants read access to a user’s profile data.

• user:email - Grants read access to a user’s email addresses.

Scope: https://docs.github.com/en/developers/apps/scopes-for-oauth-apps#available-scopes

​

GitHub app

• Write access to files located at .deepsource.toml.

• Read access to administration, code, deployments, members, metadata, organization hooks, and repository hooks.

• Read and write access to checks, commit statuses, and pull requests. (Pull requests and related comments, assignees, labels, milestones, and merges)

Application page: https://github.com/apps/deepsource-io

GitHub Marketplace: https://github.com/marketplace/deepsource-io

​

Autofix app

• Read access to metadata (Search repositories, list collaborators, and access repository metadata).

• Read and write access to code and pull requests (Pull requests and related comments, assignees, labels, milestones, and merges. Access: Read & write)

Note: DeepSource will either raise a pull request or commit to a pull request with existing changes. The app will not make any code changes to the default branch of the repository.

Reference: https://github.com/apps/deepsource-autofix

​

GitLab

​

OAuth

• api - Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry.

• read_user - Grants read-only access to the authenticated user’s profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under / users.

• read_repository - Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry.

Reference: https://docs.gitlab.com/ee/integration/oauth_provider.html#authorized-applications

​

Azure DevOps Services

​

OAuth

• vso.code_write - Grants the ability to read, update, and delete source code, access metadata about commits, changesets, branches, and other version control artifacts. Also grants the ability to create and manage pull requests and code reviews and to receive notifications about version control events via service hooks.

• vso.code_status - Grants the ability to read and write commit and pull request status.

• vso.project - Grants the ability to read projects and teams.

Reference: https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops#scopes

​

Bitbucket

​

OAuth

• Read-only access to the user’s account information. Note that this does not include any ability to mutate any of the data. The account information includes:

  • See all email addresses
  • Language
  • Location
  • Website
  • Full name
  • SSH keys
  • User groups

Scope: account.

Reference: https://developer.atlassian.com/cloud/bitbucket/bitbucket-cloud-rest-api-scopes/

​

Bitbucket add-on

• Read-only access to the user’s account information. Note that this does not include any ability to mutate any of the data. Scope: account.

• Read access to pull requests and collaborate on them. This scope implies repository, giving read access to the pull request’s destination repository. Scope: pullrequest.

• Ability to interact with issue trackers the way non-repository members can. This scope does not imply any other scopes and does not give implicit access to the repository the issue is attached to. Scope: issue.

Reference: https://developer.atlassian.com/cloud/bitbucket/bitbucket-cloud-rest-api-scopes/

Atlassian Marketplace: https://marketplace.atlassian.com/apps/1222731/deepsource

​

Autofix add-on

• Read-only access to the user’s account information. Note that this does not include any ability to mutate any of the data. Scope: account.

• Ability to create, merge, and decline pull requests. This scope implies repository:write permissions, giving write access to the pull request’s destination repository. This is necessary to facilitate merging. Scope: pullrequest:write.

• Gives the app admin access to all the repositories the authorizing user has access to. No distinction is made between public or private repositories. This scope does not imply repository or repository:write permissions. It gives access to only the admin features of a repository, not direct access to its contents. Of course, this can be (mis)used to grant read access to another user account who can then clone the repository, but apps that need to read or write source code would also request explicit read or write permissions for the concerned repository. Scope: repository:admin.

Reference: https://developer.atlassian.com/cloud/bitbucket/bitbucket-cloud-rest-api-scopes/

Atlassian Marketplace: https://marketplace.atlassian.com/apps/1223705/deepsource-autofix