Skip to main content

GitHub (Access Token) Integration Setup

This guide walks you through connecting GitHub to RAD Security, enabling repository discovery, dependency graph analysis, code scanning, and organization visibility.

Prerequisites

Before you begin, ensure you have:
Admin or Owner access to your GitHub organization (for organization-wide access)
Access to RAD Security workspace with integration permissions
Understanding of which repositories need to be scanned (public, private, or both)

Token Requirements

GitHub (Access Token) integration requires a Personal Access Token with specific scopes depending on your use case.

Required Scopes

ScopePurpose
repoFull control of private repositories. Required for private repo access, Dependency Graph API (SBOM), and Code Search API.
read:orgRead organization membership. Required for listing organizations and members.
read:packagesRead packages from GitHub Package Registry. Required for package registry scanning.
For public repositories only, no token is required. However, using a token enables higher API rate limits and is recommended for production use.

Option 1: Personal Access Token (Classic)

The classic token format provides straightforward scope-based permissions.
1

Navigate to Token Settings

  1. Go to GitHub Settings > Developer settings > Personal access tokens > Tokens (classic)
  2. Click Generate new token > Generate new token (classic)
2

Configure Token

  1. Enter a descriptive Note (e.g., “RAD Security Integration”)
  2. Set an appropriate Expiration (consider your security policies)
  3. Select the following scopes:
    • repo — Full control of private repositories
    • read:org — Read org and team membership
    • read:packages — Read packages
3

Generate and Save Token

  1. Click Generate token
  2. Copy the token immediately — it will not be shown again
Store your token securely. If you lose it, you’ll need to generate a new one.

Option 2: Fine-grained Personal Access Token

Fine-grained tokens provide more granular control over repository and permission access.
1

Navigate to Token Settings

  1. Go to GitHub Settings > Developer settings > Personal access tokens > Fine-grained tokens
  2. Click Generate new token
2

Configure Token Basics

  1. Enter a Token name (e.g., “RAD Security Integration”)
  2. Set an appropriate Expiration
  3. Optionally add a Description
3

Select Resource Owner

Choose the organization or personal account the token should access.
For organization access, the organization must allow fine-grained tokens. Check your organization’s settings under Settings > Third-party Access > Personal access tokens.
4

Configure Repository Access

Choose one of:
  • All repositories — Access all current and future repositories
  • Only select repositories — Choose specific repositories to scan
5

Set Repository Permissions

Under Repository permissions, configure:
PermissionAccess Level
ContentsRead
MetadataRead
Dependency graphRead
6

Set Organization Permissions

Under Organization permissions, configure:
PermissionAccess Level
MembersRead
7

Set Account Permissions (Optional)

Under Account permissions, optionally configure:
PermissionAccess Level
Email addressesRead
8

Generate and Save Token

  1. Click Generate token
  2. Copy the token immediately — it will not be shown again
Store your token securely. If you lose it, you’ll need to generate a new one.

Configure in RAD Security

Once you have your token, configure the integration in RAD Security:
1

Navigate to Integrations

Go to your RAD Security workspace and navigate to Integrations.
2

Add GitHub Integration

Click Add Integration and select GitHub from the available options.
3

Enter Configuration

Fill in the required fields:
ParameterDescriptionExample
Integration NameA descriptive name for this integrationGitHub Production
Access TokenYour GitHub Personal Access Tokenghp_xxxxxxxxxxxx
4

Save and Test

Click Save to create the integration. RAD Security will validate the connection.
Your token is encrypted and stored securely by RAD Security.

Verify Integration

After completing the setup, verify your integration is working:
  1. Navigate to Integrations in your RAD Security workspace
  2. Locate your GitHub integration
  3. Check the connection status shows as Active
  4. Verify repositories are being discovered
Your GitHub integration is now configured! RAD Security will begin scanning your repositories and collecting dependency data.

What Data is Synced

  • Repository names and metadata
  • Visibility settings (public/private)
  • Default branch information
  • Repository topics and descriptions
  • Software Bill of Materials (SBOM) via Dependency Graph API
  • Direct and transitive dependencies
  • Dependency versions and sources
  • Manifest file contents (package.json, requirements.txt, etc.)
  • Organization membership
  • Team structures (if accessible)
  • Member roles and permissions
  • Published packages
  • Package versions
  • Package metadata

Use Cases

Dependency Vulnerability Detection

Identify vulnerable dependencies across all repositories using SBOM data and known vulnerability databases.

Software Supply Chain Visibility

Map your complete software supply chain by tracking all direct and transitive dependencies.

Code Security Analysis

Search code across repositories for security anti-patterns, secrets, or vulnerable code constructs.

Organization Security Posture

Monitor organization membership and repository access to identify potential security risks.

Troubleshooting

  • Verify your access token is correct and hasn’t expired
  • Ensure the token has the required scopes (repo, read:org, read:packages)
  • Check that the token hasn’t been revoked in GitHub settings
  • Confirm the token has access to the repositories you expect
  • For fine-grained tokens, verify repository access is configured correctly
  • Check if the repositories are in an organization that requires SSO authentication
  • Verify the read:org scope is granted
  • For fine-grained tokens, ensure Members: Read organization permission is set
  • Check if the organization requires SAML SSO authorization for the token
  • Ensure the repo scope is granted (required for Dependency Graph API)
  • Verify the repository has the dependency graph enabled in GitHub settings
  • Check that the repository contains supported manifest files
  • GitHub API has rate limits; ensure you’re using an authenticated token
  • Consider creating a dedicated service account for the integration
  • Check GitHub’s rate limit status in your token settings
If your organization uses SAML SSO:
  1. Go to your token in GitHub Settings
  2. Click Configure SSO next to your organization
  3. Click Authorize to grant the token access

Security Best Practices

Use Dedicated Service Account

Create a dedicated GitHub account for the integration rather than using a personal account.

Minimize Token Scope

Use fine-grained tokens to limit access to only the repositories and permissions needed.

Rotate Tokens Regularly

Set token expiration dates and rotate tokens according to your security policies.

Monitor Token Usage

Review token activity in GitHub’s security log to detect unauthorized access.

Token Rotation

To rotate your GitHub access token:
1

Generate New Token

Create a new token following the steps above with the same scopes.
2

Update RAD Security

Edit your GitHub integration in RAD Security and update the Access Token field.
3

Verify Connection

Confirm the integration status remains Active after the update.
4

Revoke Old Token

Delete the old token from GitHub Settings to complete the rotation.

Next Steps

Engineering Integrations Overview

Learn about other engineering integrations

Evidence Room

View and analyze collected security data