← all rules

iac/iam/iam-github-broad-oauth-scope

GitHub OAuth/PAT requests an over-broad scope

mediumCloud IAMiac-iam

What it detects

Requesting a high-privilege GitHub scope (`delete_repo`, `admin:org`, `admin:enterprise`, `admin:repo_hook`, `site_admin`) gives the resulting token administrative reach far beyond typical app needs. A leaked token with these scopes can delete repos, reconfigure the org, or tamper with webhooks.

Remediation

Request only the minimal scopes the integration needs (e.g. `read:org`, `repo:status`), and prefer fine-grained PATs / GitHub App permissions over classic broad scopes.

How it runs

Run against JSON/YAML/source files. AWS IAM rules require a policy-document context (Statement + Effect); GCP primitive roles are matched anywhere. HCL is left to the Terraform layer.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.