Skip to main content

Integrate a new GitHub Enterprise source

GitGuardian integrates natively with GitHub Enterprise via a GitHub App that you can install on your personal GitHub Enterprise repositories and the repositories of your GitHub Enterprise organizations.


By default, the GitGuardian GitHub app has only read access to your code.

Optionally, it is possible to grant GitGuardian write access to benefit from specific business features (more detail in this dedicated section).
You will need Owner or Manager rights in GitGuardian to set up an integration or customize your settings.

The pre-existing GitGuardian GitHub App cannot be leveraged to integrate with self hosted GitHub Enterprise. Instead, you will need to create a separate GitHub App on your own GitHub Enterprise instance. This process is extremely straightforward since GitGuardian will automatically indicate the required configurations to your GitHub Enterprise.
You can refer to the GitHub documentation for more information on GitHub apps.

GitGuardian supports all GitHub Enterprise versions supported by GitHub itself.

Setup your GitHub Enterprise integration

  1. Navigate to Settings > Workspace > Integrations.
  2. Click on Install for GitHub Enterprise.
  3. Enter the URL of your GitHub Enterprise instance, and select the permission level to grant to GitGuardian.
    App permissions

    Read-only is sufficient to scan for incidents, while read and write permissions are necessary if you want to leverage business features such as Honeytoken deployment jobs.
    The permission level can be changed later. See the dedicated section for more information.

    GitGuardian GHE app creation form
  4. Click on Create the GitHub app to be redirected to GitHub Enterprise and create your dedicated app
  5. Validate the GitHub App creation. We recommend that you choose a simple name for your GitHub app such as GitGuardian, which will make it easily recognizable.
    GHE app creation via manifest
  6. The GitHub App is now created and you can install it for users and organizations.
  7. Follow the exact same steps as for the SaaS integration.

The GitHub App belongs to the user who created it. We recommend that you transfer the ownership to an organization in case the user is later deactivated.

Transfer GitHub app

IMPORTANT: GitGuardian cannot monitor repositories whose owner has not installed the GitHub App. If the repo is owned by a GitHub organization, the owner of the organization must install the GitHub App.

Configuration page

When you integrate your GitHub Enterprise instance, you have access to a configuration page.

From this page, you have the possibility to:

  • integrate another GitHub Enterprise instance with GitGuardian.
  • manage your existing instances and their dedicated GitHub app. GitGuardian tells you which ones are considered inactive.

GHE configuration page

Grant GitGuardian code write permissions


Some business features require write permission to your repositories in order to open pull requests.
Currently, this concerns the Honeytoken Deployment jobs feature.

If write permission was not provided at the time of app creation, you can grant this permission later by updating the existing app:

  1. In the configuration page, click "Configure write permission" for your GitHub Enterprise instance.

GHE configuration page

  1. You will be redirected to GitHub Enterprise, in the tab "Permissions & events" of the app. Under the "Repository permissions" section, change permissions on Contents to "Read and write":

Update app permissions

  1. This change then needs to be propagated to the organizations where this app is installed, by accepting the permission update request:

App permission update request

Confirm app permission update

Automatic historical scan

By default, GitGuardian performs a historical scan for each new GitHub Enterprise repository added to your perimeter.

You can deactivate this behavior in your GitHub Enterprise settings if you are a Manager of the workspace.

Autoscan settings

How can I help you ?