Expose GitHub App repository scope and requested permissions to organization owners via API

[jaredcatkinson]

🏷️ Discussion Type

Product Feedback

💬 Feature/Topic Area

API

Body

I’d like to request better API support for organization owners to programmatically inspect the true scope of GitHub App access in their organizations.

Right now, GitHub Apps represent a meaningful third-party access boundary into an organization’s repositories and settings, but it appears that organization owners still do not have complete API visibility into that access at the level they need for governance and risk management.

The missing visibility seems to affect both:

• pending GitHub App installation requests
• existing GitHub App installations, especially when repository access is limited to selected repositories

The biggest gap is repository scope. In particular, when a GitHub App installation is scoped to selected repositories, organization owners should be able to programmatically enumerate exactly which repositories are in scope. Similarly, for pending installation requests, organization owners should be able to inspect the exact repository selection and permission set being requested before approving it.

From a security perspective, this is important because GitHub App installations grant third parties access into organization-owned resources. The organization owner is the party accepting that risk, so it does not make sense for programmatic visibility into the scope of access to be incomplete from the organization-owner side.

Even if the app owner also needs this visibility, organization owners should not have less access to that information than is necessary to make an informed approval or review decision.

At a minimum, organization owners should be able to retrieve via API:

For existing installations:

• the installed app identity
• the organization/account where it is installed
• the effective permission set granted to the installation
• whether repository access is all or selected
  -the exact repository list when access is selected

For pending installation requests:

• the requesting user
• the app identity
• the requested permission set
• whether repository access requested is all or selected
• the exact repository list when selected
• relevant request metadata such as timestamps and status

A likely response is that this information is available in the web UI. But many organizations need to review and govern third-party access through automated or semi-automated processes, for example:

• internal approval workflows
• compliance and audit evidence collection
• policy validation against requested permissions and repository scope
• risk scoring and exception handling
• security inventory and continuous monitoring

Those workflows depend on API access, not just UI inspection.

If the necessary data already exists to support the UI, exposing it consistently through REST and/or GraphQL for organization owners would make GitHub App governance much more practical and much more aligned with how organizations manage third-party access risk.

A related enhancement would be similar API visibility for OAuth app approval requests, since those also represent third-party access decisions that organization owners may need to evaluate programmatically.

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐