type: runbook
status: active
timestamp: 2026-06-22
tags: [runbook, github-apps, audit, security, free-tier]

GitHub Apps audit — chirag127 account, 2026-06-22

One-shot audit of GitHub Apps on chirag127 account

GitHub Apps audit — 2026-06-22

How this audit was built

The /user/installations REST endpoint requires a GitHub-App-authorised user token, which our standard gho_* OAuth token does not carry. Instead, this audit enumerates apps via check-suite actors across a 7-repo sample (oriz, oriz-pages-blog-app, oriz-cs-me-app, oriz-app, oriz-paisa-finance-tools-app, astro-shell-npm-pkg, agents-md-sync-skill):

gh api "repos/chirag127/<repo>/commits/<sha>/check-suites" \
  --jq '.check_suites[] | "\(.app.slug)|\(.status)|\(.conclusion)"'

status=completed = the app has actually executed on the repo. status=queued only = the app is installed (so GitHub creates a check-suite stub) but has either no config or no triggering event yet.

33 apps surfaced. Only 3 actively run (deepsource-io, socket-security, github-actions). 30 sit perpetually queued — installed but inert.

The audit table

#App slugPurposeStatus (sample of 7)Triggered?RecommendationWhy
1github-actionsBuilt-in CI2/2 completedYESKEEPCore to the family CI/CD
2dependabotDep updates + security alerts1/1 completedYESKEEPSource of email noise but kept — config tamed per dependabot-notification-tuning.md
3deepsource-ioStatic analysis5/7 completedYESKEEPAlready running on most repos; matches install-github-apps.md plan
4socket-securitySupply-chain SAST6/7 completedYESKEEPActive; high-value vs Snyk/GitGuardian overlap
5sonarqubecloudSAST + quality0/7 completedNOREVIEWListed in install-github-apps.md but missing sonar-project.properties — fix or remove
6codacy-productionLint + complexity0/7 completedNOREVIEWListed in install-github-apps.md plan; install consent likely incomplete
7coderabbitaiAI PR review0/7 completedNOREVIEWShould run on PRs; no PRs in sample. Check on next real PR
8renovateDep auto-PRs0/6 completedNOREVIEWOverlaps with Dependabot. Pick one (Dependabot is now well-tuned; consider REMOVE Renovate)
9mergifyPR queue + auto-merge0/6 completedNOREVIEWNeeds .mergify.yml per repo. Either configure or REMOVE
10codecovCoverage upload0/7 completedNOREMOVENeeds per-repo token; never set. Overlaps with future Codacy coverage
11snyk-ioVuln scanning0/7 completedNOREMOVEOverlaps with Dependabot + Socket Security. Free tier requires card-on-file for private repos → conflicts with rule 2
12gitguardianSecrets scanning0/7 completedNOREMOVEOverlaps with GitHub secret-scanning (free public) + push-protection. Email-noisy when triggered
13codefactor-ioLint aggregator0/7 completedNOREMOVEPure overlap with DeepSource + Codacy
14sourcery-aiPython refactor0/7 completedNOREMOVENo Python in family (rule: ts-only); inert across all repos
15greptile-appsAI code review0/7 completedNOREMOVEOverlaps with CodeRabbit. Pick one (CodeRabbit is already in install plan)
16kilo-code-botAI coding bot0/7 completedNOREMOVENo clear use case in this family; not in install plan
17autofix-ciLint autofix0/7 completedNOREMOVEOverlaps with biome --fix in CI; not configured
18check-run-reporterTest aggregator0/7 completedNOREMOVEInert; replaced by GH Actions native test summary
19nx-cloudNx remote cache0/7 completedNOREMOVENot using Nx — Turborepo’s catalog mode handles caching
20mintlifyDocs hosting0/5 completedNOREMOVEUsing Astro Starlight (packages.oriz.in); Mintlify needs card-on-file
21vercelHosting0/7 completedNOREMOVERule: CF Pages preferred (no-paid-self-hosting-only.md)
22netlifyHosting0/7 completedNOREMOVESame — CF Pages only
23renderHosting0/7 completedNOREMOVESame — CF Pages only
24fly-ioHosting0/7 completedNOREMOVESame — CF Pages only
25railway-appHosting0/7 completedNOREMOVESame — CF Pages only
26azure-pipelinesCI0/7 completedNOREMOVERule 9: Linux-only ubuntu-latest on GH Actions. Azure CI not used
27expoMobile builds0/7 completedNOREMOVEFamily is PWA-first (PWABuilder, not native). No Expo projects
28supabaseDatabase hosting0/7 completedNOREMOVEUsing Firebase + CF KV/R2/D1; no Supabase repos
29temboPostgres hosting0/7 completedNOREMOVENot using; Postgres only via Firebase Data Connect
30smitheryMCP registry0/7 completedNOREVIEWIf you publish MCP servers there, KEEP; otherwise REMOVE
31cursorCursor.sh agents0/7 completedNOREVIEWUseful if you use Cursor; otherwise REMOVE. Doesn’t cause noise
32cloudflare-workers-and-pagesDeploy preview6/7 completedYES (1)KEEPActive on CF Pages targets — core to hosting rule
33github-pagesPages deploy0/1 completedNOREMOVECF Pages is the standard, not GH Pages

Batch 1: KEEP (no action)

github-actions, dependabot, deepsource-io, socket-security, cloudflare-workers-and-pages.

Batch 2: REMOVE these 20 inert apps (manual, ~5 min)

Go to https://github.com/settings/installations and click Configure on each, then Uninstall:

codecov, snyk-io, gitguardian, codefactor-io, sourcery-ai, greptile-apps, kilo-code-bot, autofix-ci, check-run-reporter, nx-cloud, mintlify, vercel, netlify, render, fly-io, railway-app, azure-pipelines, expo, supabase, tembo, github-pages.

Batch 3: REVIEW + decide (~10 min)

AppQuestionDefault if unclear
sonarqubecloudAdd sonar-project.properties template + workflow?KEEP if doing it this week, else REMOVE (DeepSource covers SAST)
codacy-productionSame — needs configREMOVE (DeepSource + Socket cover the niche)
coderabbitaiRun on next PR? Free tier OK?KEEP — install plan explicitly chose this
renovateDependabot is now batch-grouped — Renovate adds what?REMOVE — Dependabot tamed is enough
mergifyWorth adding .mergify.yml to all repos?KEEP if auto-merge is a goal; REMOVE if manual merges are fine
smitheryPublish any MCP servers?KEEP if yes (per oriz-omni-post plans); else REMOVE
cursorUse Cursor.sh?KEEP if yes; REMOVE if the AI agent only

Email-noise impact estimate

Of the 1,300+ email backlog, the breakdown is approximately:

Total expected reduction after Batch 2 removals: >97% of the daily Dependabot/security-app email volume.

Why no auto-uninstall

GitHub deliberately requires human consent to install AND uninstall apps. There is no API endpoint to uninstall on someone’s behalf — that’s a security feature (matches the install-github-apps.md note). Each uninstall is one click on the user’s account settings page.


Edit on GitHub · Back to index