Until now, code-inspector was a simple OAuth application. It asks the user to authenticate on GitHub, allows us some permissions (scope) on his account and our engine was using the generated token perform access to the GitHub API on your behalf.
This is causing problems as we are now moving to serve businesses and there are two main reasons for that:
- Security: a GitHub OAuth token does not expire. It is likely to be attacked and your security, compromised. In addition, a GitHub OAuth token gives access to all the repository data, which might expose your code to other people (in case the token is stolen). When using a GitHub app, the token tokens have a short lifespan and the token is assigned only to a defined set of repositories.
- Integration: a GitHub app integrates well with GitHub model. The application is configured within GitHub. Users just need to log with their GitHub account and nothing else need to be done. No need to create a project, link credentials or add a repository.
More details about the migration are available on our blog post.
The GitHub App will be available to all existing GitHub accounts. However, this means you will need to migrate your projects from the legacy accounting model to the new one.
There is a list of the major changes and impacts of the GitHub App integration.
Adding or removing projects
Adding or removing projects is no longer done on code-inspector. Instead, all projects you authorize on the App installation (on the GitHub App page) are added on Code Inspector. Be careful, limits of your account type applies (see details on our pricing page).
You can access directly the App installation link once logged: a new icon (“Managing Projects”) links to this page.
Changing your membership level
Changing your membership level will be done through the GitHub marketplace. Our App is currently under review. In the meantime, if you would like to be upgraded, contact us.
Should I migrate?
If you are a new user of code-inspector, just log in using that link and start using the product with your GitHub account.
If you already use code-inspector and had projects, you should migrate ONLY if you was using code inspector by logging through your GitHub account. The migration does not apply to regular (e-mail) accounts that are linked with GitHub: only accounts that log with GitHub are affected.
Why should I migrate?
If you do not delete your old projects before migrating, the engine will not be able to analyze your projects.
Once you migrate and start to use the GitHub application, we will stop using the old OAuth token that was generated. This is done for security reasons: this token has no expiration and it is unsafe to keep it on our side for security purposes. As the token is no longer available, projects are then not being analyzed.
The migration requires that you delete all your projects on code-inspector and re-create them using the GitHub interface. That will bring you the following benefits:
- Improved Security: you control what repository we can access and we use short-lived token.
- Upcoming, GitHub app-specific features: we are developing new features that will be available only for GitHub apps.
That migration requires that we delete your old projects and create new ones.
There are the steps to do to migrate your account:
- Remove all your previous projects. For each project, go to the preferences and delete the project.
- Once all projects are removed, you see a message that asks to install the GitHub app on your account. Install the app
- Select the repositories you want to manage using code inspector.
- Everything is done!
Additionally, for extra security, you can revoke the access for the old OAuth application (see below).
Removing your old OAuth token
Once you finished the migration, we recommend to revoke the OAuth token that you previously approved to Code Inspector. The problem is that this token does not expire and therefore, there is a probability to be attacked via brute force.
To do so, go to your settings on GitHub. Select the “Authorized OAuth Apps” pane and select “Revoke”.
What is really happening behind the scenes?
Removing the projects is necessary in order to also remove the webhooks that have been previously installed. Without cleanly removing them, the webhook is still installed.
Then, you need to install the application on your account to give us explicit access to your repositories. Without this explicit installation, we will not be able to start any analysis on any of your project.
If you have any question regarding the migration (or any other topic), please contact us.