GitHub
Discover orgs, teams, repositories and **GitHub Apps / OAuth apps**, Actions runners, environments & secrets, branch protection & CODEOWNERS, webhooks and audit log signals. Govern non-human identities and their effective permissions — stop risky actions before impact.
What the connector discovers
- Organizations, Teams & Members
Org settings (SSO/SAML/SCIM), teams and maintainers, role mappings, outside collaborators, fine-grained personal access tokens (metadata).
- Repositories & Protections
Repos (visibility, topics), branch protection rules, required reviews, status checks, CODEOWNERS, environments and required reviewers.
- GitHub Apps & OAuth Apps
Installed GitHub Apps (permissions/events), OAuth apps and grants, app owners, slug, repositories/organizations installation scope.
- Actions, Runners & Secrets
Repo/org/self-hosted runners, ephemeral runners, Actions permissions, environments/secrets/variables and secret visibility (org/repo/env).
- Webhooks & Security Signals
Org/repo webhooks (endpoints, active flags), Dependabot alerts, secret scanning configuration, audit log events (installs, app perms, token scope/grant changes).
- Effective Permissions
Identity (app/bot/token) → permissions/policy → repository/environment/resource → allowed actions at time-of-execution.
GitHub is where source and CI/CD power live. Apps, runners and secrets can move code and credentials at scale. ClarioSec adds **runtime governance**: drift-aware scoring, pre-execution controls and audit-grade narratives.
Drift-aware risk scoring
Baselines per app/runner/token; peer groups by repo/team; detect permission expansion, missing branch protections, ownerless apps, stale PATs and anomalous secrets/env usage in Actions.
Pre-execution enforcement
Allow / Alert / Block / Approve with governed overrides. Minimize app permissions, enforce required reviews, and require JIT approval before privileged Actions or secret access.
Audit-grade narratives
Each decision yields **rule → reason → proof → control map** (SOC 2, GDPR, ISO/IEC 27001 & 42001, AI Act), including before/after permissions, affected repos/environments and owner context.
Connect GitHub
Use a **GitHub App** (recommended) or **fine-grained PAT** with read-only scopes for discovery. Organization-level install preferred; repository-level is supported.
- 1) Create a GitHub App (org level)
GitHub → Settings (org) → Developer settings → GitHub Apps → New GitHub App. Set a callback URL (placeholder is fine for app-only).
- 2) Grant minimum read permissions
Organizations, Members, Administration (read), Repository metadata, Contents (read), Actions (read), Environments (read), Secrets (read metadata), Webhooks (read), Audit log (read, if Enterprise), Dependabot/Secret scanning (read).
- 3) Install the App
Install on your organization (all or selected repositories). Record App ID and Installation ID; create a private key (PEM).
- 4) Add in ClarioSec
Open the GitHub connector and paste Organization, App ID, Installation ID and PEM private key (stored per tenant).
- Alternative — Fine-grained PAT
Create a PAT with the least read scopes covering org/repo metadata and Actions; paste the token in the connector (per-tenant storage).
High-value signals via GitHub REST/GraphQL (metadata only):
- Organizations, SSO/SAML state, Members, Teams & outside collaborators
- Repositories (visibility), branch protection rules, CODEOWNERS, required reviews/checks
- GitHub Apps & OAuth apps (permissions/events), app grants and installations
- Actions runners (self-hosted/ephemeral), Actions permissions, environments & required reviewers
- Secrets/variables visibility (org/repo/env) — metadata only; Dependabot & secret scanning signals
- Webhooks (endpoints/active), audit log (Enterprise), security findings links
Endpoint family: REST v3 & GraphQL v4 (Orgs, Teams, Repos, Apps, Actions, Webhooks, Audit, Security advisories).
- Over-privileged GitHub Apps & tokens
Apps with broad repository/org permissions; fine-grained PATs scoped too widely or never rotated.
- Branch protection gaps
Missing required reviews/checks on default branches, bypass lists too large, CODEOWNERS not enforced.
- Actions runner exposure
Self-hosted runners shared across many repos/orgs, unpinned images, secrets shared to all workflows.
- Webhook exfiltration
Org/repo webhooks to external endpoints with broad event delivery; no owner review.
- Just-in-time approvals for app installs, permission upgrades & runner registration
- Automatic permission minimization & PAT/secret rotation
- Enforce branch protections and CODEOWNERS for sensitive repos
- Audit-grade narratives mapped to SOC 2 / GDPR / ISO / AI Act
Ready to govern GitHub apps, runners and secrets at runtime?
Move from repo posture to provable behavior — identity → permission → action → narrative.