[BUG] Claude GitHub integration needs org-installation-only mode and must not access repos outside selected app installation

Open 💬 2 comments Opened Jul 1, 2026 by jflatow

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Right now, the Claude GitHub App can be installed on a work org with access restricted to selected repos, but the user authorization flow can still authorize Claude against the user's broader GitHub identity. There is no clear way to say: "Claude may use only this work org installation and must not discover or access any personal repositories".

For coding agents, this is a serious permission-boundary problem. Many users have both work and personal GitHub access on the same GitHub account. If Claude can use a user authorization path to discover or access repositories outside the selected GitHub App installation, then selected-repo app installation is not a sufficient safety guarantee.

If the Claude GitHub App is installed only on a work org and only for selected repos, then Claude should have no access to private repositories under the personal GitHub account, even if authorized by GitHub user identity to use the connector.

What Should Happen?

One should be able to configure Claude like this:

  • Install the Claude GitHub App on a work org.
  • Restrict the installation to selected work repositories.
  • Authorize their GitHub user only to bind/use that org installation.
  • Ensure Claude cannot discover, read, write, clone, open PRs against, or otherwise operate on any repository outside that selected installation scope.

In other words, the effective repository allowlist should be selected repos in the selected GitHub App installation, not anything the GitHub user can access.

Error Messages/Logs

Steps to Reproduce

The GitHub authorization flow does not provide a clear option to bind Claude only to a selected org installation.

There is no UI to say "authorize this app only for the work org installation" or "exclude my personal repositories".

This creates ambiguity about whether Claude is limited to the selected GitHub App installation or whether it can also use user-authorized access to reach other repositories available to the user.

In testing, Claude appeared able to access personal repositories even though the Claude app was not installed on the personal GitHub account. The integration is using the user authorization path, not only the selected GitHub App installation path.

Claude Model

_No response_

Is this a regression?

No, this never worked

Last Working Version

_No response_

Claude Code Version

*

Platform

Anthropic API

Operating System

Other

Terminal/Shell

Other

Additional Information

Why this matters

For AI coding agents, "act on my behalf" is not a minor convenience permission. It is the core attack surface.

Repo-scoped GitHub App installation gives users the impression that access is limited to selected repositories. If the connector can also use a user authorization path to reach repos outside that installation, then the user-facing permission model is misleading and unsafe for anyone who uses the same GitHub account for work and personal repos.

This blocks safe adoption for users who want Claude on work repositories but do not want to expose personal repositories.

Requested fix

Please add a strict access mode with these guarantees:

  1. Allow users to bind Claude to a specific GitHub App installation, e.g. one org installation.
  2. Show the effective repository allowlist before authorization.
  3. Do not allow any user-token fallback to discover, read, write, clone, or operate on repositories outside that selected installation scope.
  4. Provide a clear UI distinction between identity authorization and repository/content authorization.
  5. Fail closed if a repo is not included in the selected installation.

Suggested product labels:

  • "Use only this GitHub App installation"
  • "Org-installation-only access"

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗