Looked at it, but as a security person, I have to recommend against it as it requires permissions to act on behalf of repository maintainers. That is asking for trouble, and represents a backdoor into every project that signs up for it.
Looked at it, but as a security person, I have to recommend against it as it requires permissions to act on behalf of repository maintainers. That is asking for trouble, and represents a backdoor into every project that signs up for it.
thanks for bringing this up, and totally understand the concern. we are committed to security, and we never write/access your code without your action--the only reason that setting is necessary is so that you can merge/1-click commit suggestions from the AI directly from the code suggestions it's posted.
Agree with the above commenter.
We would be happy to try except when it has write/merge permissions .
One click and auto merge are nice to have. Having the bot (and your company) able to deploy any code changes to production (by accident, via hack, etc) is a no go.
Suggest making them optional features and just having code comments/repo read version.
Not sure if it’s possible - but if the permissions could exclude specific branches that would be ok as well.
But needs to be no way a malicious actor could write/merge to main.