From 655e31d1ab8d2adf46136e3edef1f512ce90dbb7 Mon Sep 17 00:00:00 2001
From: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com>
Date: Mon, 28 Feb 2022 17:39:18 +0100
Subject: [PATCH] docs: create security and permissions file (#13748)

Co-authored-by: Rhys Arkins <rhys@arkins.net>
---
 docs/usage/security-and-permissions.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 docs/usage/security-and-permissions.md

diff --git a/docs/usage/security-and-permissions.md b/docs/usage/security-and-permissions.md
new file mode 100644
index 0000000000..17564cad2a
--- /dev/null
+++ b/docs/usage/security-and-permissions.md
@@ -0,0 +1,24 @@
+# Security and Permissions
+
+## Global Permissions
+
+| Permission        | Renovate hosted app |  Forking Renovate  | Why                                                           |
+| ----------------- | :-----------------: | :----------------: | ------------------------------------------------------------- |
+| Dependabot alerts |       `read`        |       `read`       | Create vulnerability fix PRs                                  |
+| Administration    |       `read`        |       `read`       | Read branch protections and to be able to assign teams to PRs |
+| Metadata          |       `read`        |       `read`       | Mandatory for all apps                                        |
+| Checks            | `read` and `write`  |   not applicable   | Read and write status checks                                  |
+| Code              | `read` and `write`  |       `read`       | Read for repository content and write for creating branches   |
+| Commit statuses   | `read` and `write`  | `read` and `write` | Read and write commit statuses for Renovate PRs               |
+| Issues            | `read` and `write`  | `read` and `write` | Create dependency dashboard or Config Warning issues          |
+| Pull Requests     | `read` and `write`  | `read` and `write` | Create update PRs                                             |
+| Workflows         | `read` and `write`  |   not applicable   | Explicit permission needed in order to update workflows       |
+
+## User permissions
+
+Renovate can also request users's permission to the following resources.
+These permissions will be requested and authorized on an individual-user basis.
+
+| Permission | Renovate hosted app | Forking Renovate | Why                                                      |
+| ---------- | :-----------------: | :--------------: | -------------------------------------------------------- |
+| email      |       `read`        |       N/A        | Per-user consent requested if logging into App dashboard |
-- 
GitLab