Comment by Retr0id

3 days ago

I wanted to check it out but the oauth flow is asking for permission to write my github email address and profile settings. Is this a bug? If not, what are these permissions needed for?

It also asks for permission to "act on my behalf" which I can understand would be necessary for agent-y stuff but it's not something I'm willing to hand over for a mere vuln scan.

4 comments

Retr0id

bagels 3 days ago

It says "Profile (write) Manage a user's profile settings.", not write email address. The "Act on your behalf" permission is even worse. I agree with you that it should only be asking for read permissions on anything for this purpose.

Retr0id 3 days ago

It was changed

jjjutla 3 days ago

This is a bug, the email-address permissions have been descoped to read-only. Profile settings are either read/write or none, hence the former. If you're concerned about privacy, sign up using email/password.

rixed 3 days ago

I was similarly put off but eventually figured out that you can merely create a normal email based login and point the tool to a publicly hosted git repository, which is nice.