getcursor
Cursor asks for over-broad Github permissions when indexing my codebase.
When indexing my entire codebase, Cursor asks for the following permissions:
Repositories
Public and private
This application will be able to read and write all public and private repository data. This includes the following:
Code
Issues
Pull requests
Wikis
Settings
Webhooks and services
Deploy keys
Collaboration invites
Note: In addition to repository related resources, the repo scope also grants access to manage organization attributes and organization-owned resources including projects, invitations, team memberships and webhooks. This scope also grants the ability to manage projects owned by users.
I want to use Cursor, and I am okay with it reading our code, but this level of permissions is not going to fly with our folks. Is there a way to tone this down and limit it to reading/writing code?
Working on a change to codebase indexing that doesn't require Github access at all! That should hopefully help fix this issue.
Thanks!
For what it's worth, I'm okay with reading code too, but being able to read and write all of those other fields of our GitHub org would increase the surface area so much that you'd you (and thus we) become a very juicy target for hackers.
it seems now you can code index without github at all! its very interesting and works great
I wanted to make a fork of a repo, and am prompted with this - granting full access even to all orgs etc. I'm part of seems way too much. Would love something much more granular as I can't responsibly tick that box.
As a concerned user of your product, I have to say I'm quite alarmed by the extent of access being requested. It seems wildly invasive to ask for such broad permissions to private repositories, emails, and other sensitive data. This level of access goes far beyond what should be necessary for most applications. For those of us who prioritize security and privacy, the idea of granting such sweeping access is extremely off-putting. It raises serious questions about data protection, potential misuse, and overall security practices. I strongly urge you to reconsider and significantly scale back these requirements. Focus only on the absolute minimum access needed for core functionality. The current approach feels like a massive overreach that will likely deter security-conscious users and businesses from adopting your product. Please revise your access model to be much more limited and targeted. As it stands, the overly broad permissions create an uncomfortable level of exposure that many users, myself included, will find unacceptable from a privacy and security standpoint.
I agree. I feel some trust towards Cursor but still, some private projects I work on really cannot be accessed with full control by anyone or any tool that can do absolutely anything in (and with) the code base. Surprising lack of options here...
Working on a change to codebase indexing that doesn't require Github access at all! That should hopefully help fix this issue.
it's been 2 years and it's still asking for extrem permissions. Fix it.
Bump - ability to exclude private repos is necessary. For all actions, not just indexing. Creating a PR for a public repo should not require private repo access.
@truell20, I haven't come back to Cursor since this, so I don't know where things stand, but could you give an update if the permissions requests have meaningfully changed since my post?