GitHub is a web-based platform for version control and collaborative software development, facilitating code sharing, project management, and continuous integration.
If you are utilizing our Github integration you will encounter many test in platform, so its essential that your configurations are set properly both in Github and Secureframe.
Github Configuration
How do I update my API permission authorization for Secureframe to use the new Github functionality?
Using your Github Organization account, navigate to Settings, then to Installed Github Apps in the left side navbar.
You should see Secureframe listed under Installed Github Apps along with a request to update permissions.
Click Configure and follow the steps provided to update your Secureframe Github application permissions.
Permissions, Fields Pulled, Controls and Automated Tests
Navigate to the “Integrations” page.
Select the “Available” tab.
Search for the integration.
Click “View Details”.
Rulesets
Secureframe pulls PR required approval counts from rulesets. If a repository has both rulesets and regular branch protection rules set, Secureframe follows GitHub’s policy of using the stricter of the two rules.
Important Note: Ruleset data is accessible by Secureframe if the repository is public or if the organization that the repository belongs to is on a non-free GitHub tier.
GitHub also implements an inheritance policy for permissions. For example, if a repository is forked from a private user’s account, it will inherit those permissions and the repository rulesets will be inaccessible. If a ruleset access error occurs during a Secureframe sync, a warning message is generated, but all other data will still be synced. The remediation options for this are to either transfer ownership of the repository or change the parent repository’s visibility to public.
Connecting Integration
To integrate Github with Secureframe, navigate to Integrations and search for “Github” on the “Available Integrations” page. Click “Connect” and follow the steps in the connection form.
Instructions on enabling the Github integration.
Enable GitHub Checks via CircleCI
In the CircleCI app sidebar, select Organization Settings.
Select VCS.
Click the Manage GitHub Checks button.
Select the repositories that should use checks and click the Install button.
After installation, the Checks tab on the GitHub PR view will populate with workflow status information. From here you can rerun workflows or navigate to the CircleCI app to view further information.
Verify that Github Checks is successfully enabled
After GitHub Checks is enabled, CircleCI workflow status is reported under the Checks tab on GitHub.
Checks should show a Re-run button in front of the workflow step. That indicates that CircleCI is configured successfully.More details can be found here.
Adjust repository scope after integrated
To modify a pre-existing connection, go to the Github application:
Navigate to Organization Settings.
Click Github Apps.
Select Configure next to Secureframe.
Then select which repositories that should be in scope.
Understanding GitHub Label Configuration
Secureframe uses GitHub labels to evaluate security and compliance-related pull request (PR) workflows—such as requiring an emergency or approved label before merging. These labels help ensure that high-risk or out-of-process changes are reviewed appropriately and tracked during audits. To support this, labels must be correctly configured within Secureframe so the system knows which ones to look for when running tests.
Note: When setting up labels like emergency, it’s important to understand that Secureframe pulls label settings from two distinct locations, each serving a different purpose:
1. GitHub Integration-Level Settings
Located at: Settings → Integrations → GitHub
These act as default label templates for any new repositories added to Secureframe after the integration is configured.
They do not apply retroactively to repositories that already exist in your Asset Inventory.
Use this section to ensure consistency moving forward.
2. Per-Repository Configuration (Required for Existing Repositories)
Located at: Asset Inventory → Repositories → [select a repository] → Configuration tab
For existing repositories, you must manually configure labels such as
emergency,DevManager, or others that are required by Secureframe’s tests.These per-repo settings are what Secureframe uses when evaluating pull request (PR) tests.
If this step is skipped, tests like “PRs must have an emergency label” will continue to fail, even if the label is defined in the integration settings.
💡 Tip: If your GitHub tests are failing due to missing labels, check the Configuration tab of the affected repository to verify the correct label is set.
Using Emergency Labels
Can I apply more than one emergency label to a repo or issue?
Currently, Secureframe only supports one emergency label per repository for version control integrations. This means you’ll need to configure a single emergency label at the repository level.
What is the purpose of an emergency label?
Emergency labels are used to flag critical or time-sensitive issues that require immediate attention, typically due to a security risk, compliance concern, or urgent engineering need.
How should emergency labels be used?
Apply an emergency label when an issue or change needs to bypass normal review or deployment timelines. Be sure to communicate with your Secureframe point of contact to align on next steps.
My emergency label is configured in the GitHub settings, but why are my test still failing?
This is a common point of confusion. Secureframe has two separate places where GitHub label configurations can be set, and they serve different purposes:
1. GitHub Integration Settings
Found under Settings → Integrations → GitHub
These define default labels for any new repositories pulled into Secureframe after setup.
They do NOT apply retroactively to existing repositories.
2. Per-Repository Settings (Required for Existing Repos)
Navigate to Asset Inventory → Repositories → [select a repo] → Configuration tab
This is where you must manually define the emergency label (e.g., “DevManager”) for each existing repository.
The system uses these settings to evaluate GitHub tests on current PRs.
If your label is only added at the integration level, your existing repos will continue to fail the test until it’s added in each repo’s configuration.
Test Exports
We’ve updated Version Control Branch Approval Configurations (GitHub) test exports to provide a cleaner, audit-ready experience.
What changed:
Exports now automatically exclude out-of-scope repositories, ensuring that only in-scope repositories appear in your report.Why it matters:
This update removes noise from your export and makes it easier to provide auditors with a streamlined, accurate view of your branch approval configurations.Where it applies:
This update currently applies to the GitHub Version Control Branch Approval Configurations test.What you’ll see:
When exporting the test results, your file will include only repositories in scope, saving time and reducing manual cleanup before audits.
Frequently Asked Questions (FAQ)
How do I enable the new functionality in Secureframe?
Be sure you have accepted the updated Github permissions described in the procedure above.
In the Secureframe application, navigate to the Company Monitoring dashboard, then to the Asset Inventory in the left navbar.
Select the Version Control tab.
For EACH in-scope repository, click the repository row and follow the instructions provided to update your repository settings.Note that if any fields are left empty, the associated test will fail with a message about configurations. (Note: users can now opt out of syncing public repoitories if they choose.)
You can also set the starting date from which we will run version control testing by navigating to Integrations > Github > Settings. This date defaults to the date that you connected Github in Secureframe. It can be useful to move this date ahead if you do not have the proper compliance configurations in place at the time you are connecting Github.More information can be found here about how to configure the date. This date is tied to the pull request merge date.
What versions of GitHub are supported with the integration?
GitHub Pro
GitHub Teams
GitHub Enterprise Cloud. GitHub Enterprise Server is currently not supported.
What if I am connected to multiple version control tools in addition to Github?
The functionality described here is only available for Github. You may accept the updated Github App permissions and configure your repository settings. However, your version control related tests will not be automated.When Secureframe releases the updates for the other version control tools, you will be able to take advantage of automated testing. Stay tuned for those updates!
Why aren’t checks that are in GitHub on commits or pull requests showing up in Secureframe?
Secureframe only pulls testing checks from the Checks API. Some applications that integrate with GitHub need to be configured to use the Checks API to report workflow status to GitHub. This requires an additional permission of checks:write for the app running the checks.
Do you pull in all GitHub request?
Secureframe only pulls in merged request, it would not pull in closed request.
For CircleCI, instructions to enable GitHub Checks are below.
Why am I seeing an "Invalid installation" error while connecting Secureframe to GitHub?
This may be because you are logged in to a personal account on GitHub. This integration requires a Github Organization account for installation.
Why is Dependabot failing?
Dependabot can appear configured correctly according to Github, but in some cases may not have granted access from the organizational view located at https://github.com/organizations/<org_slug> /settings/security_analysis It may require you to manually add the respositories even though you have checks enabled by default.
Do I need to sync public repositories?
No, you can now opt out of syncing public repos because often times these are not in scope.
Why is my "Code Dependency Testing (GitHub)" failing, I have Dependabot enabled?
Because Pull Request are a point in time, Dependabot must be enabled before Pull Request are merged otherwise this test will not pass.
Please also note Secureframe does not support other dependency testing in Github other than Dependabot.
Why is my "Code integration testing (Github)" test failing, when we already have required status checks set up for PRs?
The most common issues is that the repository configuration in Secureframe is missing the code integration settings, which is the reason for the test failure.
Why is my "Code static application security testing (Github)" test failing?
One common issue is that Secureframe does not test historic Pull Request (PR's).
A proper configuration should be in place before the PR gets merged, Otherwise it will fail.
How do I connect a new github repository?
First, confirm if the Secureframe app in github has access to all repositories.
Then make sure to re-sync the Github integration in Secureframe.
I am getting a "unable to access rulesets for repository glider?
The most common reason for this error is your version.
Ruleset data is accessible by Secureframe if the repository is public or if the organization that the repository belongs to is on a non-free GitHub tier.
Why is my static code analysis test failing, when I can see all the checks passing in my Github account?
One possible explanation is that the name of the repository has changed and not updated on the Secureframe side.
Check the configuration and ensure the name matches in Secureframe and Github.
Is it possible to search for specific Pull Request in the Code pull request approvals (Github) tests page?
Yes, if you click on the Evidence tab of the test in question, you will see a list of all Pull Request we are pulling in via the integration.
However, if this list is too large to review manually, you can also export the list via CSV.
Why aren't all repositories being pulled in, even though the Secureframe application is being configured to have access to all the repositories?
We have recently updated our Github syncs to be done in batches.
This may require several syncs to fetch all the data, depending on how many repositories are in place.
If you still find there is some older data missing, try reconnecting their Github connection.
In the GitHub integration, do the labels specified in the integration settings override the labels defined in individual repository configurations?
No, the labels in the integration settings do not override the labels specified in the repository configuration. Integration settings apply only when a repository has not been explicitly configured. If a repository has its own configuration, only those repository-specific settings are used when evaluating tests. The purpose of the integration settings is to streamline setup for new repositories by applying default labels without needing to configure each one manually.
What should I do if I'm having trouble connecting GitHub to Secureframe?
When redirected to GitHub during setup, you should be able to click “Save” on the configuration page for the Secureframe app. This should redirect you back and complete the connection setup.
If you run into issues at this step, try the following:
Go to your GitHub organization’s settings.
Locate and delete the Secureframe app from the list of installed applications.
Restart the connection process from Secureframe.
Why am I seeing duplicate repositories in the Asset Inventory?
Duplicate repositories usually appear when more than one integration of the same type is connected (for example, if two GitHub integrations are active). To resolve this, archive one of the integrations. When archiving, you’ll have the option to delete duplicate entries, which will remove the duplicates from your Asset Inventory.
Why doesn't Secureframe show my renamed GitHub organization or repositories?
If you've renamed your GitHub organization or repositories and the old names still appear in Secureframe after syncing, you'll need to reconnect your GitHub integration. Simply re-syncing will not update repository paths after a rename.
To resolve this, archive your existing GitHub connection in Secureframe's integrations page, then add a fresh connection to GitHub. Once the new connection syncs, your repositories will display with the updated organization and repository names.
Why isn't a GitHub repository appearing in the asset inventory even though the integration is set to "All repositories"?
This can happen if the missing repository is public and the "Sync public repositories" setting is disabled in the GitHub integration. Even with "All repositories" selected, public repos are excluded unless that flag is turned on. To fix this, enable "Sync public repositories" in the GitHub integration settings, then click the Sync button on the integration. The repository and its associated vulnerabilities should appear in the asset inventory shortly after.