The scan user needs Write permission on a repository:
- to be able to update the commit status via GitHub Branch Source (see GitHubBuildStatusNotification)
- to check whether a PR/Branch is trusted (see GitHubSCMSource)
Grant a single user with Write permissions to all organization repositories is a security concern. Git writes and status updates could instead be handle inside the Pipeline/Jenkinsfile.
This request is about a configurable solution so that a scan user don’t need Read permissions to scan PR/Branches.