GitHub & GitHub Enterprise
Connect GitHub (cloud or self-hosted Enterprise) to import repositories, monitor them for changes, scan in CI, and open remediation PRs — with results surfaced as native code-scanning alerts and PR checks.
Connect
- GitHub App (recommended) — fine-grained, per-repo permissions, no personal token to rotate.
- OAuth — for user-scoped imports.
- Enterprise Server — point the integration at your GHES API base URL.
What you get
| Capability | Detail |
|---|---|
| Repository import | Bulk-import repos/orgs; pick which to monitor. |
| CI scanning | SARIF uploads land as GitHub code-scanning alerts on the PR. |
| PR checks | Policy gate posts a PASS/FAIL status check. |
| Auto-fix PRs | Remediation PRs target the default branch with reviewers assigned. |
| GHSA enrichment | Uses your token to enrich advisories from the GitHub Advisory Database. |
Token-based CI auth
For scanning in CI (the composite action or the CLI), authenticate with a token from Settings → API tokens set as the
DPNDNCY_TOKEN secret, and point DPNDNCY_SERVER at a host the runner can reach — for GitHub-hosted runners that’s your public API host, e.g. https://api.dpndncy.com.Runtime evidence too
Pair this with the GitHub Action for signed runtime traces of every CI job, on top of code + dependency scanning.