iac/iam/iam-github-broad-oauth-scope
GitHub OAuth/PAT requests an over-broad scope
What it detects
Requesting a high-privilege GitHub scope (`delete_repo`, `admin:org`, `admin:enterprise`, `admin:repo_hook`, `site_admin`) gives the resulting token administrative reach far beyond typical app needs. A leaked token with these scopes can delete repos, reconfigure the org, or tamper with webhooks.
Remediation
Request only the minimal scopes the integration needs (e.g. `read:org`, `repo:status`), and prefer fine-grained PATs / GitHub App permissions over classic broad scopes.
How it runs
Run against JSON/YAML/source files. AWS IAM rules require a policy-document context (Statement + Effect); GCP primitive roles are matched anywhere. HCL is left to the Terraform layer.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.