fix(auth): remove honeytokens:read from default scopes

GG-HH · GG-HH · commit f23a637ec938 · 2026-05-26T19:23:15.000Z
honeytokens:read is implied by honeytokens:write, so requesting it
explicitly is redundant.
diff --git a/changelog.d/20260526_hhubert_auth_login_default_scopes.md b/changelog.d/20260526_hhubert_auth_login_default_scopes.md
@@ -1,3 +1,3 @@
 ### Changed
 
-- `ggshield auth login` now requests broader default scopes (`scan`, `honeytokens:read`, `honeytokens:write`, `honeytokens:check`, `nhi:send-inventory`). If any scope is not granted, a warning is printed but login still succeeds.
+- `ggshield auth login` now requests broader default scopes (`scan`, `honeytokens:write`, `honeytokens:check`, `nhi:send-inventory`). If any scope is not granted, a warning is printed but login still succeeds.
diff --git a/ggshield/cmd/auth/login.py b/ggshield/cmd/auth/login.py
@@ -112,8 +112,7 @@ def print_default_instance_message(config: Config) -> None:
     type=str,
     help=(
         "Space-separated list of extra scopes to request in addition to the default"
-        " scopes (scan, honeytokens:read, honeytokens:write, honeytokens:check,"
-        " nhi:send-inventory)."
+        " scopes (scan, honeytokens:write, honeytokens:check, nhi:send-inventory)."
     ),
     metavar="SCOPES",
 )
@@ -167,8 +166,8 @@ def login_cmd(
     Alternatively, you can use `--method token` to authenticate using an already existing token.
     The minimum required scope for the token is `scan`.
 
-    By default, the created token will have the `scan`, `honeytokens:read`,
-    `honeytokens:write`, `honeytokens:check`, and `nhi:send-inventory` scopes.
+    By default, the created token will have the `scan`, `honeytokens:write`,
+    `honeytokens:check`, and `nhi:send-inventory` scopes.
     Use the `--scopes` option to request extra scopes. You can find the list of
     available scopes in [GitGuardian API documentation][1].
 
diff --git a/ggshield/verticals/auth/oauth.py b/ggshield/verticals/auth/oauth.py
@@ -29,7 +29,6 @@
 SCAN_SCOPE = "scan"
 DEFAULT_SCOPES = [
     SCAN_SCOPE,
-    "honeytokens:read",
     "honeytokens:write",
     "honeytokens:check",
     "nhi:send-inventory",
diff --git a/tests/unit/cmd/auth/test_login.py b/tests/unit/cmd/auth/test_login.py
@@ -45,7 +45,6 @@
         "name": "key",
         "scope": [
             "scan",
-            "honeytokens:read",
             "honeytokens:write",
             "honeytokens:check",
             "nhi:send-inventory",
@@ -77,7 +76,6 @@
         "created_at": "2021-01-01T00:00:00+00:00",
         "scopes": [
             "scan",
-            "honeytokens:read",
             "honeytokens:write",
             "honeytokens:check",
             "nhi:send-inventory",
@@ -702,7 +700,6 @@ def test_scopes(self, cli_fs_runner, monkeypatch):
         self._assert_open_url(
             scope_set={
                 "scan",
-                "honeytokens:read",
                 "honeytokens:write",
                 "honeytokens:check",
                 "nhi:send-inventory",
@@ -947,7 +944,6 @@ def _assert_open_url(
         if scope_set is None:
             scope_set = {
                 "scan",
-                "honeytokens:read",
                 "honeytokens:write",
                 "honeytokens:check",
                 "nhi:send-inventory",

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`### Changed`
`2`	`2`
`3`		-- `ggshield auth login` now requests broader default scopes (`scan`, `honeytokens:read`, `honeytokens:write`, `honeytokens:check`, `nhi:send-inventory`). If any scope is not granted, a warning is printed but login still succeeds.
	`3`	+- `ggshield auth login` now requests broader default scopes (`scan`, `honeytokens:write`, `honeytokens:check`, `nhi:send-inventory`). If any scope is not granted, a warning is printed but login still succeeds.