🚀 SecureCheap is live — Start free →
Integrations
GitHub

GitHub

SecureCheap connects to GitHub to:

  • Scan dependencies for known CVEs (npm, pip, Cargo, Composer, Go modules)
  • Detect accidentally committed secrets (API keys, tokens, passwords)
  • Monitor GitHub Actions workflow failures

Required permissions

We request a read-only GitHub OAuth App connection — no write access ever.

Permissions:

  • repo (read) — read repository content and dependency manifests
  • security_events (read) — read Dependabot alerts
  • workflows (read) — read Actions run status

Setup

Connect GitHub

  1. Go to Integrations → + Add → GitHub
  2. Click Connect with GitHub
  3. You'll be redirected to GitHub's OAuth authorization page
  4. Review the permissions and click Authorize SecureCheap
  5. Choose which organizations and repositories to grant access to

Select repositories to monitor

After connecting, select which repositories to scan:

  • All repositories in your org, or
  • Specific repositories only

Configure scan settings

SettingDefaultDescription
Dependency scanning✅ OnCVE matching for package manifests
Secret scanning✅ OnDetect exposed credentials in code
Actions monitoring✅ OnAlert on workflow failures
Scan frequencyDailyHow often to re-scan

Secret scanning

We scan for these credential types:

TypeExample pattern
AWS Access KeysAKIA[0-9A-Z]{16}
GitHub Personal Access Tokensghp_[A-Za-z0-9]{36}
Stripe API Keyssk_live_[A-Za-z0-9]{24}
Twilio Auth Tokens32-char hex string
Generic API keysapi[_-]key\s*[:=]\s*['"][^'"]{16,}['"]
Passwords in codepassword\s*[:=]\s*['"][^'"]{6,}['"]
Private keysPEM-encoded RSA/EC keys
⚠️

If a secret is detected, we alert immediately and recommend rotating the credential. Detection does not mean the secret has been exploited — but treat it as compromised.

Dependency CVE scanning

We read your package manifests (package.json, requirements.txt, composer.json, go.mod, etc.) and cross-reference all pinned versions against the NVD and GitHub Advisory Database.

Findings include:

  • Package name and vulnerable version range
  • CVE ID and CVSS score
  • Whether a fixed version is available
  • Upgrade command for your package manager