I don't know how installing a GitHub app to give someone access to a company's repositories improves security. Might as well require people to enter an email address to learn what your product is.
You're right that introducing a GitHub app comes with certain risks, but "security" isn't a monolithic concept. For many people, installing a security tool like Socket to prevent supply chain attacks will on-net improve their security posture.
Also, for the record, the Socket GitHub app was designed to only read package manifest files such as `package.json`, `package-lock.json`, and `yarn.lock`. It doesn't read other files, and it definitely doesn't send those files to remote servers.
I think it would be awesome if Socket could be used through an auditable GitHub Action where developers can manually send over just their package*.json files.
