Summary
Audit the GitHub OAuth scopes requested during the /connect flow and verify we are requesting only what is strictly necessary.
Current scopes
read:user
user:email
read:org
Review checklist
Why this matters
Requesting excess OAuth scopes is a security and trust risk. Developers will scrutinise what we ask for.
Summary
Audit the GitHub OAuth scopes requested during the
/connectflow and verify we are requesting only what is strictly necessary.Current scopes
Review checklist
read:useris sufficient for username, avatar, biouser:emailis needed and email is actually storedread:orgis needed at onboarding or can be deferredSECURITY.mdWhy this matters
Requesting excess OAuth scopes is a security and trust risk. Developers will scrutinise what we ask for.