Codacy is dodgy?

[rhfogh]

After signing up to Codacy, I found it had access permissions to all Github repositories I have, including a project that has nothing to do with MXCuBE or Global Phasing. More precisely it has all the permissions listed below (source: https://support.codacy.com/hc/en-us/articles/115003405529-Which-permissions-does-Codacy-need-from-my-account-) OK, looking in my setting profie it only says that it needs permission to Access public information (read-only) But then, there is a discussion at https://github.com/dear-github/dear-github/issues/113 that points out exactly that this kind of tool insists on write access to all your repositories.

Is this really the way we want to go? Is there a better alternative?

The permissions Codacy wants, for all your repositories, are(from https://support.codacy.com/hc/en-us/articles/115003405529-Which-permissions-does-Codacy-need-from-my-account-):

"""If you log in with GitHub, Codacy requires the following permissions/scopes:

'user' permissions to access GitHub user info.
'public_repo' permissions to set PR status on public projects.
'repo' access to access private repositories.
'write: public_key' to add ssh keys to the repositories, so that Codacy can have access to the repository.
'write:repo_hook' access to add post-commit hooks.
'admin:org_hook' to access organization hooks.

"""

[rhfogh]

For now I have simply revoked all Codacy pe4rmissions and removed my account with them. I am open to alternative suggestions, though.

[kinow]

Not a developer of mxcube, but this issue was the first non-Codacy link in my search results, and I'm doing the same with my account and projects. Probably will look at SonarQube/SonarCloud.

[rhfogh]

@kinow Thanks for letting us know. Maybe we should consider changing to SonarQube/SonarCloud.as well.