Skip to main content
Act on your behalf is a permission that GitHub requires of all third-party apps that verify a user’s identity, that is, when GitHub is used as an identity provider (IdP). The actual scope of this permission is limited to what the user explicitly permits. As stated in the GitHub documentation:
The GitHub App can only do things that both you and the app have permission to do.
This restriction also applies to read and write permissions—for example, you have to explicitly grant read and write permissions on a granular level for an app to act on your behalf. At the start of your Semgrep onboarding experience, the resource granted to Semgrep is read access to your email address, but Semgrep itself never acts on your behalf.
You grant Semgrep read access to your email address when you sign in for the first time.

How to detect when an app acts on your behalf

When an action is undertaken by an app on your behalf, GitHub adds a label — with NAME_OF_APP app.
GitHub ExampleApp performing an action on behalf of a user.
In contrast, the Semgrep GitHub app performs the action it’s permitted to perform as itself. It does not use your identity to perform any actions. You can see this when Semgrep posts PR comments:
The Semgrep GitHub app commenting on a pull request as itself.

Further reading

Permissions required by Semgrep for scanning a remote repository