Permissions

When you start using DeepSource, you have to explicitly grant permissions in the respective source code hosting provider that you are authorizing us to check out your public and private repositories. To analyze the source code, we check out your code from supported source code hosting providers.

DeepSource does not store your source code. As soon as the analysis transaction is complete, the source code is purged within our infrastructure and are not backed up. The following are the permissions

Note

The "Act on your behalf" permission alert gets triggered due to our possession of your oauth token.  We only use your OAuth token to validate users’ identity.

GitHub

OAuth

• read:user - Grants access to read a user's profile data.

• user:email - Grants read access to a user's email addresses.

Scope: https://docs.github.com/en/developers/apps/scopes-for-oauth-apps#available-scopes (opens new window)

GitHub app

• Write access to files located at .deepsource.toml.

• Read access to administration, code, deployments, members, metadata, organization hooks, and repository hooks.

• Read and write access to checks and pull requests. (Pull requests and related comments, assignees, labels, milestones, and merges)

Application page: https://github.com/apps/deepsource-io (opens new window)

GitHub Marketplace: https://github.com/marketplace/deepsource-io (opens new window)

Autofix app

• Read access to metadata (Search repositories, list collaborators, and access repository metadata).

• Read and write access to code and pull requests (Pull requests and related comments, assignees, labels, milestones, and merges. Access: Read & write)

Note: DeepSource always raises a pull request (or) make commit to a pull request with changes. The app will not make any code changes to default branch of the repository.

Reference: https://github.com/apps/deepsource-autofix (opens new window)

GitLab

OAuath

• api - Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry.

• read_user - Grants read-only access to the authenticated user’s profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under / users.

• read_repository - Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry.

Reference: https://docs.gitlab.com/ee/integration/oauth_provider.html#authorized-applications (opens new window)

Bitbucket

OAuth

• Read-only access to all user's account information. Note that this does not include any ability to mutate any of the data. The account information includes:
  • See all email addresses
  • Language
  • Location
  • Website
  • Full name
  • SSH keys
  • User groups

Scope: account.

Reference: https://developer.atlassian.com/cloud/bitbucket/bitbucket-cloud-rest-api-scopes/ (opens new window)

Bitbucket add-on

• Read-only access to all user's account information. Note that this does not include any ability to mutate any of the data. Scope: account.

• Read access to pull requests and collaborate on them. This scope implies repository, giving read access to the pull request's destination repository. Scope: pullrequest.

• Ability to interact with issue trackers the way non-repo members can. This scope does not imply any other scopes and does not give implicit access to the repository the issue is attached to. Scope: issue.

Reference: https://developer.atlassian.com/cloud/bitbucket/bitbucket-cloud-rest-api-scopes/ (opens new window)

Atlassian Marketplace: https://marketplace.atlassian.com/apps/1222731/deepsource (opens new window)

Autofix add-on

• Read-only access to all user's account information. Note that this does not include any ability to mutate any of the data. Scope: account.

• Ability to create, merge, and decline pull requests. This scope implies repository:write permissions, giving write access to the pull request's destination repository. This is necessary to facilitate merging. Scope: pullrequest:write.

• Gives the app admin access to all the repositories the authorizing user has access to. No distinction is made between public or private repos. This scope does not imply repository or repository:write permissions. It gives access to the admin features of a repo only, not direct access to its contents. Of course it can be (mis)used to grant read access to another user account who can then clone the repo, but repos that need to read of write source code would also request explicit read or write. Scope: repository:admin.

Note

Note that repository:admin scope is required to check the possibility of a commit. For this purpose, we use branch restrictions API (opens new window) which requires this scope to function.

Reference: https://developer.atlassian.com/cloud/bitbucket/bitbucket-cloud-rest-api-scopes/ (opens new window)

Atlassian Marketplace: https://marketplace.atlassian.com/apps/1223705/deepsource-autofix (opens new window)