Skip to content
This documentation applies to Codacy Self-hosted v3.0.0

For the latest updates and improvements, see the latest Cloud documentation instead.

Which permissions does Codacy need from my account?

Codacy Cloud uses OAuth to handle logins. We support the following providers:

  • GitHub Cloud
  • GitLab Cloud
  • Bitbucket Cloud
  • Google Sign-In

Depending on the provider, we may request different permissions due to different OAuth implementations. We strive to request only the necessary permissions.

GitHub Cloud

If you log in with GitHub, Codacy requires the following permissions/scopes:

  • 'user' permissions to access GitHub user info
  • 'public_repo' permissions to set PR status on public repositories
  • 'repo' access to access private repositories
  • 'write: public_key' to add SSH keys to the repositories, so that Codacy can have access to the repository
  • 'write:repo_hook' access to add post-commit hooks
  • 'read:org': read-only access to organization membership, organization repositories, and team membership
  • 'admin:org_hook' to access organization hooks

GitHub Cloud using GitHub Apps

If you log in with GitHub, Codacy requires the following app permissions:

Repository permissions:

  • Checks: Checks on code - Read & Write
  • Issues: Issues and related comments, assignees, labels, and milestones - Read & Write
  • Metadata: Search repositories, list collaborators, and access repository metadata - Read Only
  • Pull requests: Pull requests and related comments, assignees, labels, milestones, and merges - Read & Write
  • Webhooks: Manage the post-receive hooks for a repository - Read & Write
  • Commit statuses: Commit statuses - Read & Write
  • Administration: Create SSH keys - Read & Write. Codacy creates an SSH key on the repository to allow cloning and integrating with your repository.

Organization permissions:

  • Members: Organization members and teams - Read Only
  • Webhooks: Manage the post-receive hooks for an organization - Read & Write

User permissions:

These permissions are granted on an individual user basis as part of the User authorization flow. They will be also be displayed during account installation for transparency.

  • Email addresses: Manage a user's email addresses - Read Only
  • Git SSH keys: Create SSH keys - Read & Write. Codacy may need to create an SSH key in your account:
    • If your repository uses submodules, so that Codacy can clone the repositories for each submodule, or
    • If Codacy fails to integrate with a repository using the repository key, so that Codacy can continue to perform analysis.

GitLab Cloud

If you sign up with GitLab Cloud, Codacy requires the following permissions/scopes:

  • ‘api’ permissions to access the authenticated user's API
  • ‘read_user’ permissions to read the authenticated user's personal information
  • ‘read_repository’ permissions to read the repositories
  • ‘openid’ to authenticate using OpenID Connect

Bitbucket Cloud

If you log in with Bitbucket, Codacy requires the following permissions/scopes:

  • Read and modify your account information
  • Read and modify your repositories' issues
  • Read your workspace’s project settings and read repositories contained within your workspace's projects
  • Read and modify your repositories and their pull requests
  • Administer your repositories
  • Read your group membership information
  • Read and modify your repositories' webhooks

Google Sign-In

If you log in with Google, Codacy requires the following permissions/scopes:

  • Email permission

Revoking access to integrations

To revoke the access from Codacy to one or more of the OAuth providers:

  1. Click on your avatar on the top right-hand corner an select Your Account, tab Access Management.
  2. The Access Management page lists all current integrations with Git providers or Google that you used to sign in or log in to Codacy. To revoke the access to an integration, click the button Revoke access for the intended integration.

  3. To ensure that the integration is removed not only on Codacy but also on the integration side, we recommend that you follow the instructions on how to revoke the Codacy OAuth application on your provider:

After revoking an integration, Codacy will no longer be able to access or manipulate resources that require API calls, such as detecting new pull requests or adding comments to pull requests. However, Codacy will continue to be able to perform operations that only require using the Git protocol either via SSH or HTTPS, such as detecting new commits and calculating diffs. To unregister your repositories from Codacy and stop the analysis you must delete them from your Codacy account.

If you need to use an integration that you have previously revoked, log in again to Codacy with that integration so that Codacy can request the required permissions from the provider.

Share your feedback 📢

Did this page help you?

Thanks for the feedback! Is there anything else you'd like to tell us about this page?

We're sorry to hear that. Please let us know what we can improve:

Alternatively, you can create a more detailed issue on our GitHub repository.

Thanks for helping improve the Codacy documentation.

If you have a question or need help please contact

Last modified November 17, 2020