CircleCI Permissions

CircleCI only ever requests the minimum possible required permissions. The level of granularity available depends on which integration type you are using.

GitHub OAuth App

When using the GitHub OAuth App integration, GitHub's permissions model is broad — CircleCI receives access to all repositories in your account or organization, or none of them. It is not possible to limit this to specific repositories within the OAuth model. If you have concerns about this scope, we encourage reaching out to GitHub directly.

GitHub App (recommended for granular control)

The CircleCI GitHub App integration offers significantly more granular permissions. Unlike the OAuth model, the GitHub App uses fine-grained permissions and short-lived tokens, and you can choose to grant CircleCI access to only specific repositories within your organization rather than all of them. This is the recommended integration for organizations with stricter security requirements.

To limit repository access, install the GitHub App and select only the repositories you want CircleCI to access during installation. This can be updated at any time from your GitHub organization settings under GitHub Apps.

Bitbucket and GitLab

For Bitbucket and GitLab integrations, permissions are similarly governed by the respective platform's OAuth model. Granular repository-level scoping is not currently available for these providers via CircleCI.

Additional Resources

• GitHub App integration overview
• VCS permissions documentation
• How CircleCI handles security