Integrations

GitHub / Version Control

Scan your GitHub organization for branch protection rules, code review policies, secret scanning, and Dependabot configuration.

Updated March 20265 min read

On this page

Prerequisites

You need Organization Owner access on your GitHub organization and admin access in ComplyWise. The integration uses a GitHub App installed on your organization, which provides fine-grained, revocable access without personal access tokens.

  • GitHub Organization Owner access
  • ComplyWise admin role for configuration
  • GitHub App installation (guided from ComplyWise)

Installing the GitHub App

Navigate to Settings → Integrations → GitHub in ComplyWise and click 'Connect GitHub'. This redirects to GitHub to install the ComplyWise GitHub App on your organization. Select which repositories to grant access to — you can choose all repositories or specific ones. The App requests read-only permissions for repository metadata, code, and organization settings.

  • OAuth-based installation flow — no manual token creation
  • Read-only permissions: repo metadata, branch protection rules, org members
  • Select all repositories or choose specific ones
  • Access can be modified later in GitHub → Settings → GitHub Apps

What Gets Scanned

The GitHub scanner evaluates your organization and repository security settings against change management and code security compliance controls. It checks branch protection rules on default branches, required code review policies, secret scanning enablement, Dependabot alerts, and organization membership settings.

  • Branch protection: required reviews, status checks, force push restrictions, signed commits
  • Code review: required approvals, dismiss stale reviews, CODEOWNERS enforcement
  • Secret scanning: enabled/disabled, push protection, alert status
  • Dependabot: enabled/disabled, open vulnerability alerts, security updates
  • Organization: 2FA requirement, member privileges, outside collaborators

Compliance Mapping

GitHub findings map to change management and software development lifecycle controls across frameworks. Required code reviews satisfy SOC 2 CC8.1, ISO 27001 A.14, and CMMC CM controls. Branch protection maps to change management policies. Secret scanning maps to credential management controls.

  • Code review policies → SOC 2 CC8.1, ISO A.14.2, NIST CSF PR.IP
  • Branch protection → CMMC CM.L2-3.4.3, PCI DSS 6.5
  • Secret scanning → SOC 2 CC6.1, ISO A.9.2, HIPAA §164.312(a)
  • Dependency management → NIST CSF ID.SC, PCI DSS 6.3

Troubleshooting

If the integration shows as disconnected, verify the GitHub App is still installed on your organization. Check that the App has access to the expected repositories. If scan results are incomplete, ensure branch protection rules are configured on default branches (main/master), not just feature branches.

  • Disconnected — reinstall the GitHub App from Settings → Integrations
  • Missing repositories — update App access in GitHub settings
  • No branch protection findings — verify rules exist on default branches
  • Rate limiting — large organizations may require scan scheduling to avoid GitHub API limits
Okta / Identity ProvidersMicrosoft 365
← Back to Documentation