GitHub App Permissions

Minimum repository permissions needed for remediation pull requests and evidence correlation.

GitHub App Permissions

Obtrace needs only the repository permissions required to read context and create remediation pull requests. Start with the narrowest possible scope.

Minimum expected permissions

Read repository contents
Read pull requests
Write pull requests if remediation PRs are enabled
Read checks and workflow status

Do not grant by default

Admin permissions
Secret manager access unrelated to telemetry
Broad organization write access

Self-hosted instances

The same permission model applies to GitHub Enterprise Server and GitLab self-hosted instances. When connecting a self-hosted instance:

Register a GitHub App or GitLab OAuth Application with the same minimum permissions
Each tenant can connect to a different self-hosted instance via the host field in repository configuration
API calls are routed to https://{host}/api/v3 (GitHub Enterprise) or https://{host}/api/v4 (GitLab)
See GitHub Enterprise integration and GitLab Self-Hosted integration for setup guides

On this page

GitHub App Permissions Minimum expected permissions Do not grant by default Self-hosted instances