Why Legitify requires admin:org permission?

[devu-62442]

Hello everyone,

I am a Product Security Engineer and was experimenting with Legitify. I have a question regarding have admin:org permission. From the documentation I can see that we require the following permissions to run legitify without any trouble:

admin:org, read:enterprise, admin:org_hook, read:org, repo, read:repo_hook

Why do we require admin:org or any type of admin access to run legitify?

Please do correct me if I am wrong but should not it only require read access?

Any help will be appreciated :)

Thank you

[gal-legit]

Hi @devu-62442,
Indeed, legitify does not perform any modifications, it only reads your configuration.
However, GitHub requires administrative permissions to read most configuration settings.
You can run grep -rw requiredScopes policies/github to see the permissions required for each policy.
You can also use a non-admin token and check the error.log after the run to see which policies were skipped due to missing permissions.

GitHub recently introduced fine-grained tokens.
It's still in beta mode, and there is no support for GraphQL for now (which is required for legitify),
but we hope that it will enable us to remove the admin-access requirements as the fine-grained tokens feature matures.

p.s. please let us know if you find any instance where the required permissions for a specific policy can be relaxed.

[antoniohernan]

Hi @gal-legit

Fine-grained tokens support GraphQL since Apr/23 https://github.blog/changelog/2023-04-27-graphql-improvements-for-fine-grained-pats-and-github-apps/

In our organization we have forbidden personal PATs and we are only allowing fine-grainded tokens.

Do you plan to undertake this change in the near future?

I have tried to run my legitify installation with fine-grained tokens, modifying the permissions required by the policies/scopes and some checking of the token syntax, but the results are not very good so far. Despite using a fine-grained token with ALL permissions it keeps complaining about lack of permissions.

[Tal-Legit]

Hello @antoniohernan, currently we are limited by the inability to verify a fine-grained token's scopes using the GH API.
Legitify relies on this check in order to return accurate result for the policies we check.

We have opened a community post on the subject, and will be acting to fix this issue as soon as a solution to this limitation is found.

[antoniohernan]

Ok, now I understand what the problem is, thanks for the links @Tal-Legit
I have opened using my business account a ticket to GitHub support with that same question you have posted in the community to see if we can get some more help from there.
I'll keep you posted.

[antoniohernan]

Hello

This is the answer we get from GitHub support

Hi Hernán,

Thank you for contacting GitHub Support! You can use the REST API to view the tokens in assigned in your organizations through the use of a GitHub App: List fine-grained personal access tokens with access to organization resources

Please note that fine grained tokens are still in beta and are subject to change. If you have any feedback about the feature please do not hesitate to add this to the feedback discussion linked to our documentation: https://github.com/orgs/community/discussions/36441

Well, I have been reading the links that support tells us but I don't know if this is enough for the purpose you are looking for. Also that paragraph where it says that this use is limited to the GitHub app may not work or may involve a refactoring of your code too complex.

Lists approved fine-grained personal access tokens owned by organization members that can access organization resources.

Only GitHub Apps can use this endpoint.

In any case, it seems that the link to the fine-grained token discussion forum seems to be the best place to make these queries or present the needs that are expected to be covered, as this feature is still in beta and may change.

[Tal-Legit]

Thank you @antoniohernan - We agree, it seems that the current endpoint isn't sufficient in order to implement the changes necessary to support fine-grained tokens.
It seems this topic already came up in the community feedback discussion and we will be keeping an eye on it.
We will let you know as soon as we are able to implement this change.