Comment by drob
12 hours ago
As far as we can tell this is a github-ism, and any OAuth permission is a form of "acting on your behalf": https://dappling.medium.com/a-github-app-would-like-to-act-o...
12 hours ago
As far as we can tell this is a github-ism, and any OAuth permission is a form of "acting on your behalf": https://dappling.medium.com/a-github-app-would-like-to-act-o...
I looked for an explanation of what the tool does on my behalf on your site but didn't see anything.
I guess I expected on the homepage or maybe "About" but I was looking for something related to whether you open PRs on my behalf given that OAuth prompt.
I think adding that or some explanation during onboarding about the permissions might help.
That's good to know, but I would still suggest an on-ramp that only uses GitHub for authentication (i.e. no permissions needed). To that end, it would be nice if I could also authenticate with other OAuth providers instead, like Google, etc.
Again, I understand that this would limit me to scanning public repos, but that would be fine.
Other auth providers for sure. We'll be adding shortly.
Using an alternate auth provider won't even prevent you from scanning non-public GitHub code. There's a GitHub OAuth App just for auth (which is what you're seeing here), and a separate GitHub App that you need to install either way to give Detail access to the right repos. We can swap out the former for Google/Okta/pw if you want to avoid this warning. GitHub Apps (the half that manages repo access) have a much finer grained permissions model.