[TEC-554] Document GitHub permissions required by code autofix

docs/deployment/deployment-checklist.md

@@ -294,6 +294,10 @@ These features require **read access** to your code.
 
 </details>
 
+:::tip
+**Autofix** (Semgrep Code and Semgrep Supply Chain upgrade PRs) needs **Contents: Read and write** on the private app, plus other permissions, so Semgrep can clone and push branches and open draft PRs. For a breakdown of Git operations versus REST endpoints, see [GitHub permissions and API usage for Autofix](/semgrep-code/triage-remediation/autofix#github-permissions-and-api-usage-for-autofix).
+:::
+
 </TabItem>
 
 <TabItem value='permissions-gitlab'>

docs/semgrep-code/triage-remediation/autofix.md

@@ -1,6 +1,6 @@
 ---
 title: Autofix (beta)
-description: Use Semgrep Autofix to automatically generate a fix PR for Semgrep Code findings.
+description: Use Semgrep Autofix to automatically generate a fix PR for Semgrep Code findings, including required GitHub App permissions and how Semgrep accesses your repository.
 tags:
   - Semgrep Code
   - Semgrep AppSec Platform
@@ -88,6 +88,20 @@ At this time, Semgrep Memories do not directly influence Autofix PR generation.
 
 Memories may affect PRs indirectly through remediation guidance. If general remediation guidance has been generated and includes information derived from memories, that guidance is passed into the PR generation process. However, memories themselves are not currently sent as direct input when generating the PR.
 
+## GitHub permissions and API usage for Autofix {#github-permissions-and-api-usage-for-autofix}
 
+Autofix uses your **private Semgrep GitHub App** with the permissions below. Use this section for security reviews (for example, which GitHub operations require **Contents: Read and write**).
 
+### Repository permissions
+
+| GitHub App permission | Why Autofix needs it |
+| --- | --- |
+| **Contents: Read** | Clone the repository over HTTPS (shallow, single-branch) so Semgrep can analyze the code and generate a fix. This uses GitHub’s Smart HTTP Git protocol (`git-upload-pack`). |
+| **Contents: Write** | Push the Autofix branch back to the repository. This uses GitHub’s Smart HTTP Git protocol (`git-receive-pack`). |
+| **Metadata: Read** | Read repository metadata, including the default branch, using `GET /repos/{owner}/{repo}`. |
+| **Pull requests: Write** | Open a **draft** pull request using `POST /repos/{owner}/{repo}/pulls`. |
+
+### How repository contents are accessed
+
+Semgrep does **not** read or write file contents through the REST Contents API (`GET` or `PUT` `/repos/{owner}/{repo}/contents/{path}`). Autofix reads and writes code only through the **Git transport layer** (clone and push), which still requires the GitHub **Contents** permissions above.
 

docs/semgrep-supply-chain/triage-remediation.md

@@ -88,6 +88,7 @@ To access all upgrade guidance and Autofix features, you must have:
 - Semgrep Multimodal [enabled](/semgrep-multimodal/getting-started).
 - The **private** GitHub app for Semgrep installed.
   - The app must have [**Read and write** access on the **Contents** permission](#grant-read-and-write-access-to-a-private-github-semgrep-app) to open Autofix PRs. Current customers must manually enable this if they haven't already.
+  - For which GitHub operations and endpoints that entails (Git clone and push versus REST), see [GitHub permissions and API usage for Autofix](/semgrep-code/triage-remediation/autofix#github-permissions-and-api-usage-for-autofix).
 - Optionally: if you have [a private registry, connect it to Semgrep](#connect-a-private-registry-to-semgrep) to improve results.
 
 ### Features and permissions required
@@ -161,6 +162,8 @@ To prevent security vulnerabilities from being merged into your codebase, see [S
 
 ### Grant **Read and write** access to a private GitHub Semgrep app
 
+Autofix PRs for Supply Chain use the same private GitHub App permissions and GitHub access patterns as [Autofix for Semgrep Code](/semgrep-code/triage-remediation/autofix#github-permissions-and-api-usage-for-autofix).
+
 <GithubAppReadWritePermissions />
 
 ### Connect a private registry to Semgrep