Supported Git Hosting Providers¶
You can use your GitHub, Bitbucket or Azure DevOps account to sign up with CodeScene and analyse your repositories.
GitHub¶
CodeScene provides full integration with GitHub and all codescene.io functionality has been thoroughly tested using our own GitHub accounts.
CodeScene supports two ways to authenticate with GitHub: the CodeScene Access GitHub App (recommended for all users) and the classic GitHub OAuth login. The GitHub OAuth login is useful when first signing in and for users who can’t install a GitHub App — for example users who aren’t an organization admin, trial users, or individual evaluations.
GitHub App “CodeScene Access” (recommended)¶
We recommend authenticating with GitHub through the CodeScene Access GitHub App. Compared to a classic OAuth App, a GitHub App is:
Organization-owned and auditable — the App is installed by an organization owner and the installation is visible and revocable in the organization’s GitHub settings.
Scoped to selected repositories — the organization owner chooses exactly which repositories CodeScene may access.
Backed by fine-grained, installation-scoped tokens — there is no dependency on personal access tokens or bot accounts.
Compatible with strict enterprise security policies that forbid OAuth Apps.
Installation¶
An organization owner installs CodeScene Access once, selecting which repositories CodeScene may access:
Note
With GitHub App login you will only see organizations and repositories where CodeScene Access is installed and granted access. If an organization or repository doesn’t show up after login, the App is likely not installed there, or wasn’t granted access to that repository. Ask an organization owner to install CodeScene Access or extend its repository access.
Required GitHub App permissions¶
The CodeScene Access GitHub App requests the following permissions:
Checks (read/write) — to publish PR Integration results as Check Runs.
Contents (read) — to clone and analyse your code.
Pull Requests (read/write) — to participate in PR Integration.
Organization Members (read) — to determine organization membership.
Email Addresses (read) — to identify the signed-in user.
The App subscribes to Pull Request, Check Suite, Check Run, and Merge Group / Merge Queue events.
CodeScene never writes to your source code. The only write operations are Check Runs and PR comments created as part of PR Integration.
Organizations can additionally choose to perform all account-wide GitHub actions through the App’s installation token — see Use GitHub App Installation Tokens (organization setting).
Use GitHub App Installation Tokens (organization setting)¶
Before enabling the setting, the CodeScene Access GitHub App must be installed for the GitHub organization. The install link is shown in the General Settings help text, and the App can also be installed from https://github.com/apps/codescene-access/installations/new .
To enable, go to Configuration → General Settings → GitHub App Installation, tick Use GitHub App Installation Tokens, and click Save.
When this setting is enabled, CodeScene lists organizations, repositories, and teams using the App installation’s permissions rather than the signed-in user’s permissions. As a result, you will only see organizations, repositories, and teams that the CodeScene Access App has been installed for and granted access to — regardless of what the individual user’s GitHub account can otherwise see.
The setting applies to all users acting on this organization account, regardless of whether they signed in with the GitHub App or the GitHub OAuth button.
GitHub OAuth login (alternative)¶
The classic GitHub OAuth login is available for users who can’t install a GitHub App — for example users who aren’t an organization admin, trial users, or quick individual evaluations. No installation step is required, and you immediately get access to all organizations and repositories that your GitHub account can see.
Required access¶
Fig. 6 GitHub Access requested by CodeScene¶
CodeScene needs access to your organizations to facilitate creating an organizational account. It needs repository (code) access to analyse your code. Unfortunately GitHub OAuth apps cannot request read-only access to repositories. CodeScene will never do any write operations, except for PR Integration creating and editing Check Runs in your Pull Requests.
Bitbucket¶
CodeScene provides integration with Bitbucket and all codescene.io functionality has been thoroughly tested. Pull Request Integration requires that our Atlassian Connect App is installed in participating workspaces.
Our Delta Analysis app - used to Integrate Automated Code Health Reviews in Pull Requests and Merge Requests - has been published on Atlassian’s Marketplace .
Required access¶
Fig. 7 Bitbucket Access requested by CodeScene¶
CodeScene needs read-only access to your code and the ability to post pull request comments.
Azure¶
CodeScene provides full integration with Azure DevOps, including Project management analyses of Work Items. Pull Request Integration is done using Service Hooks, expect them in your projects if you’re using the feature.
Required access¶
Fig. 8 Azure DevOps Access requested by CodeScene¶
These are the features that require a specific access:
Creating organization accounts, finding user projects: Project and team (read), Graph (read)
Analysis of code: Code (read)
PR Integration comments: PR threads
PR Integration Status Checks: Code (status)
Project Management Analyses: Work items (read)
CodeScene will add PR comments and Status Checks to your pull requests and it will add Service Hooks to receive PR related events. Otherwise CodeScene won’t perform write operations.
Unfortunately it is not possible to register OAuth consumer with Azure DevOps that would have all potential scopes and then request reduced scope of access based on your actual feature use. Azure OAuth server will throw an error if requested scopes and OAuth App’s scopes don’t match exactly.
Resolving login issues¶
In some cases, when Azure DevOps organization was connected or disconnected from another Active Directory, there is a bug where Azure cannot map user’s VSID to descriptor (and therefore organization member). To address this issue you need to create a fresh new Organization (or have someone else create it and invite you to it), then you need to enable 3rd party app access in Organization Settings:
Fig. 9 Enable Third-party application access via OAuth setting¶
Select Policies and enable Third-party application access via OAuth, then try to log in. You can delete the organization used for this workaround after users have successfully logged in.
GitLab¶
CodeScene provides full integration with GitLab. Merge Request Integration is done using Webhooks Hooks, expect them in your projects if you’re using the feature.
Required access¶
Fig. 10 GitLab Access requested by CodeScene¶
The access requested by our OAuth App is extensive. The reason is that the only way to clone a private GitLab project with an OAuth token is when the token has api access, which is read/write access to almost everything. As with GitHub, we never do any write operations except the Merge Request comments to post results of analysis.