Is your private GitHub organization really private?

Private GitHub organizations may not be as secure as expected due to the lack of third-party access policies, which allows applications to act on behalf of users with granted permissions. This can potentially include access to private repositories. GitHub does not have resource-specific scopes, so granting an application permission to manage issues requires giving them access to all resources. Organizations should check their configurations and implement access restrictions to protect proprietary code from bad actors.