# Permissions
When you start using DeepSource, you have to explicitly grant permissions in the respective source code hosting provider that you are authorizing us to check out your public and private repositories. To analyze the source code, we check out your code from supported source code hosting providers.
DeepSource does not store your source code. As soon as the analysis transaction is complete, the source code is purged within our infrastructure and are not backed up. The following are the permissions
Note
The "Act on your behalf" permission alert gets triggered due to our possession of your oauth token. We only use your OAuth token to validate users’ identity.
# GitHub
# OAuth
read:user
- Grants access to read a user's profile data.user:email
- Grants read access to a user's email addresses.
Scope: https://docs.github.com/en/developers/apps/scopes-for-oauth-apps#available-scopes (opens new window)
# GitHub app
Write access to files located at
.deepsource.toml
.Read access to administration, code, deployments, members, metadata, organization hooks, and repository hooks.
Read and write access to checks and pull requests. (Pull requests and related comments, assignees, labels, milestones, and merges)
Application page: https://github.com/apps/deepsource-io (opens new window)
GitHub Marketplace: https://github.com/marketplace/deepsource-io (opens new window)
# Autofix app
Read access to metadata (Search repositories, list collaborators, and access repository metadata).
Read and write access to code and pull requests (Pull requests and related comments, assignees, labels, milestones, and merges. Access: Read & write)
Note: DeepSource always raises a pull request (or) make commit to a pull request with changes. The app will not make any code changes to default branch of the repository.
Reference: https://github.com/apps/deepsource-autofix (opens new window)
# GitLab
# OAuath
api
- Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry.read_user
- Grants read-only access to the authenticated user’s profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under / users.read_repository
- Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry.
# Bitbucket
# OAuth
- Read-only access to all user's account information. Note that this does not include any ability to mutate any of the data. The account information includes:
- See all email addresses
- Language
- Location
- Website
- Full name
- SSH keys
- User groups
Scope: account
.
Reference: https://developer.atlassian.com/cloud/bitbucket/bitbucket-cloud-rest-api-scopes/ (opens new window)
# Bitbucket add-on
Read-only access to all user's account information. Note that this does not include any ability to mutate any of the data. Scope:
account
.Read access to pull requests and collaborate on them. This scope implies repository, giving read access to the pull request's destination repository. Scope:
pullrequest
.Ability to interact with issue trackers the way non-repo members can. This scope does not imply any other scopes and does not give implicit access to the repository the issue is attached to. Scope:
issue
.
Reference: https://developer.atlassian.com/cloud/bitbucket/bitbucket-cloud-rest-api-scopes/ (opens new window)
Atlassian Marketplace: https://marketplace.atlassian.com/apps/1222731/deepsource (opens new window)
# Autofix add-on
Read-only access to all user's account information. Note that this does not include any ability to mutate any of the data. Scope:
account
.Ability to create, merge, and decline pull requests. This scope implies
repository:write
permissions, giving write access to the pull request's destination repository. This is necessary to facilitate merging. Scope:pullrequest:write
.Gives the app admin access to all the repositories the authorizing user has access to. No distinction is made between public or private repos. This scope does not imply
repository
orrepository:write
permissions. It gives access to the admin features of a repo only, not direct access to its contents. Of course it can be (mis)used to grant read access to another user account who can then clone the repo, but repos that need to read of write source code would also request explicit read or write. Scope:repository:admin
.
Note
Note that repository:admin
scope is required to check the possibility of a commit. For this purpose, we use branch restrictions API (opens new window) which requires this scope to function.
Reference: https://developer.atlassian.com/cloud/bitbucket/bitbucket-cloud-rest-api-scopes/ (opens new window)
Atlassian Marketplace: https://marketplace.atlassian.com/apps/1223705/deepsource-autofix (opens new window)