dpndncY

GitHub & GitHub Enterprise

Connect GitHub (cloud or self-hosted Enterprise) to import repositories, monitor them for changes, scan in CI, and open remediation PRs — with results surfaced as native code-scanning alerts and PR checks.

Connect

  • GitHub App (recommended) — fine-grained, per-repo permissions, no personal token to rotate.
  • OAuth — for user-scoped imports.
  • Enterprise Server — point the integration at your GHES API base URL.

What you get

CapabilityDetail
Repository importBulk-import repos/orgs; pick which to monitor.
CI scanningSARIF uploads land as GitHub code-scanning alerts on the PR.
PR checksPolicy gate posts a PASS/FAIL status check.
Auto-fix PRsRemediation PRs target the default branch with reviewers assigned.
GHSA enrichmentUses your token to enrich advisories from the GitHub Advisory Database.
Token-based CI auth
For scanning in CI (the composite action or the CLI), authenticate with a token from Settings → API tokens set as the DPNDNCY_TOKEN secret, and point DPNDNCY_SERVER at a host the runner can reach — for GitHub-hosted runners that’s your public API host, e.g. https://api.dpndncy.com.
Runtime evidence too
Pair this with the GitHub Action for signed runtime traces of every CI job, on top of code + dependency scanning.

See also