Full control of private repositories

Today when logging into codecov.io with my Github account (yugr (Yury Gribov) · GitHub) codecov has requested “Full control of private repositories” to log me in. This sounds a bit too much for a coverage collection tool hence some questions.

  1. Why are such extreme permissions needed?
  2. Why only private repos are relevant?
  3. What are the security implications for me in case codecov is hacked?


Hi @yugr, thanks for the questions.

  1. Unfortunately, this is a limitation due to GitHub and their available oauth scopes. repo scope is used on private repositories in order to overlay coverage on our site, write back statuses, and add comments onto PRs.
  2. If you are using Codecov for public repositories only, we will not need these permissions.
  3. You should be able to find out the answers on our security page