Mondoo
Docs
Integrate Your AssetsSaaS

Secure GitHub with Mondoo

Continuously scan GitHub organizations and repositories for misconfigurations and vulnerabilities.

Mondoo continuously scans a GitHub organization or individual repositories for misconfigurations and vulnerabilities. Deploy the integration once and Mondoo keeps assessments up to date as repos change.

To scan Kubernetes manifests, Terraform configurations, or Docker containers inside a GitHub Actions workflow, read Scan in GitHub Actions instead.

Prerequisites

  • Editor or Owner access to the Mondoo space
  • Access to a GitHub organization or repository

Create a GitHub personal access token

A personal access token gives Mondoo permission to read GitHub resources on your behalf.

  1. Log into GitHub. Verify your email if you haven't already.

  2. Select your profile photo in the top-right corner, then Settings.

  3. In the left sidebar, select Developer settings, then Personal access tokens > Tokens (classic).

  4. Select Generate new token > Generate new token (classic).

  5. Under Note, describe the token's purpose (for example, Mondoo security scan access).

  6. Set an Expiration.

  7. Under Select scopes, check:

    • public_repo
    • read:org
    • read:repo_hook
    • admin:org_hook
    • read:project

  8. Select Generate token and copy the value. You need it in the next section.

Add a GitHub integration

In the Mondoo App, navigate to the space where you want to add the integration. In the side navigation bar, select Integrations. In the top right, select + INSTALL. On the integrations page, find the integration you want by browsing or searching by name:

  1. Under SaaS, select GitHub.

    Add a GitHub Integration in Mondoo

  2. In Choose an integration name, enter a name that identifies the GitHub organization or repository.

  3. For a GitHub Enterprise account, enter the home page URL (for example, https://github.mycompany.com) in Provide GitHub Enterprise URL.

  4. Under Select your integration type, choose organization or repository:

    • Organization. Enter the organization name. To limit which repositories Mondoo scans, disable Scan all repositories and list repositories to include or skip (one per line).
    • Repository. Enter the Owner and Repository names from the repo's URL. For example, if the URL is github.com/Lunalectric/frontend, the owner is Lunalectric and the repo is frontend.

    GitHub organization name

  5. Paste your personal access token into Provide your personal access token.

  6. Under Discovery options, check what you want Mondoo to scan inside the repos:

    • Terraform files
    • Kubernetes manifests

    GitHub discovery options

  7. Select START SCANNING.

On the Recommended Policies page, enable the policies you want Mondoo to score this integration against. To learn how policies work, read Manage Policies.

Learn more

Overview

Continuously scan GitHub, GitLab, Google Workspace, Microsoft 365, Okta, and Slack for misconfigurations and security issues.

GitLab

Continuously scan GitLab groups for misconfigurations and vulnerabilities.

On this page

PrerequisitesCreate a GitHub personal access tokenAdd a GitHub integrationLearn more