GitHub Integration

Connect QuantAssure to your GitHub organization to monitor repository security.

What It Collects

  • Repository Inventory — All repositories in your organization as assets
  • Dependabot Alerts — Vulnerability alerts from GitHub's Dependabot
  • Security Settings — Branch protection, secret scanning, and other security configurations

Prerequisites

  • A GitHub account with access to your organization
  • A Personal Access Token (PAT) with the following scopes:
    • repo — Full control of private repositories (for Dependabot alerts)
    • read:org — Read organization membership

Setup Steps

1. Generate a Personal Access Token

  1. Go to GitHub → Settings → Developer settings → Personal access tokens → Tokens (classic)
  2. Click "Generate new token" → "Generate new token (classic)"
  3. Give it a descriptive name (e.g., "QuantAssure")
  4. Select scopes: repo and read:org
  5. Click "Generate token"
  6. Copy the token immediately — you won't see it again

2. Configure in QuantAssure

  1. Create or edit a System in QuantAssure
  2. In the Data Sources section, enable GitHub
  3. Enter your GitHub organization name
  4. Paste your Personal Access Token
  5. (Optional) Enable Dependabot Alerts extension to collect vulnerability findings
  6. Save your system configuration

3. Run Your First Scan

Click "Run Scan" to collect data from GitHub. The scan will:

  • Fetch all repositories in your organization
  • Collect Dependabot alerts for each repository (if enabled)
  • Check security settings on each repository

What to Expect

After your first scan:

  • Assets: One asset per repository in your organization
  • Findings: Dependabot vulnerability alerts (if enabled)
  • Findings include CVE details, severity, and affected package information

Troubleshooting

"Bad credentials" error

  • Verify your Personal Access Token is correct
  • Check that the token hasn't expired
  • Ensure the token has repo and read:org scopes

No Dependabot alerts appearing

  • Verify Dependabot is enabled on your repositories
  • Check that the Dependabot Alerts extension is enabled in QuantAssure
  • Some repositories may not have any alerts

Missing repositories

  • Verify your organization name is correct
  • Check that your token has access to the organization
  • Private repositories require the repo scope