Over time, admin and write access accumulates on the wrong people, former employees and outside collaborators. We map permissions per repo and show where least privilege breaks down.
Run a free domain scan All checks →We read your GitHub org's access model: which teams and people hold admin, maintain, write, triage or read per repo, which outside collaborators are invited, and whether permissions are set directly on users instead of via teams.
Excessive access is the silent risk: one compromised key with admin on the wrong repo is enough to plant backdoors or exfiltrate code. Least privilege is a core control in ISO 27001, SOC 2 and NIS2 — and the most commonly missed in practice.
Do you change anything in our org?
No — we only read permissions via the GitHub API. You do the cleanup from our prioritised list.
What token is needed?
A read token with org and repo administration read. We never write.
Do you cover team hierarchies?
Yes — we compute the effective permission even when inherited via nested teams.
Run a free scan or order a full Security Assessment — prioritised, not noise.
Run a free domain scan