Integrate with GitHub Enterprise Cloud

  • Release version: Australia
  • Updated March 12, 2026
  • 9 minutes to read

    • Integrating your Software Asset Management application with the GitHub Enterprise Cloud application help you track your software subscriptions and reclaim unused licenses.

    Important:
    Minimize security risks and protect information by granting access only to the necessary user or API permissions.
    Table 1. Minimal user permissions
    Process Required user role in the GitHub Enterprise Cloud application Authentication scopes
    Download subscriptions Organization owner read:org
    Pull user activity Organization owner
    • read:org
    • repo
    • read:audit_log
    Reclaim subscription Organization owner write:org

    The GitHub Enterprise Cloud integration is currently limited to users with Enterprise plans only.

    Generate an API access token for GitHub Enterprise Cloud

    Generate a token that you can use to access the GitHub Enterprise Cloud API.

    Before you begin

    GitHub Role required: organization owner

    The user account that you use for authentication should be able to read all repositories in the organization they’re a part of.

    About this task

    The GitHub repository hosting service uses personal access tokens to grant users access to the GitHub API. Personal access tokens function similarly to OAuth access tokens by authorizing API requests. By generating a personal access token to authorize your GitHub Enterprise Cloud API requests, you can gain access to the GitHub Enterprise Cloud API.

    Procedure

    1. From a web browser, open GitHub.
    2. Sign in to your GitHub account.
    3. On the GitHub page header, select your profile photo and then select Settings.
      Your profile settings open.
    4. From the side navigation pane, select Developer Settings.
      Your developer settings open.
    5. From the side navigation pane, select Personal access tokens.
    6. Select Tokens (classic).
    7. On the Personal access tokens page, select Generate new token.
    8. Select Generate new token (classic).
    9. If you’re prompted to confirm your password before proceeding, enter your GitHub password and then select Confirm password.
    10. On the New personal access token form, describe the purpose of the token in the Note field.
    11. To give your token an expiration, select the Expiration drop-down menu and select a default value or use the calendar picker.
    12. In the Select scopes form section, enable the repo, write:org, read:org, and read:audit_log OAuth scopes.
      OAuth scopes limit the level of access that the application has to your protected resources. The repo OAuth scope gives you full control of your private repositories. The write:org and read:org OAuth scopes enable you to manage your entire organization, including all teams, projects, and memberships. The read:audit_log OAuth scope gives you access to the audit log data to track accurate user activity. See Scopes for OAuth Apps for more information about GitHub OAuth scopes.
      1. Enable the repo OAuth scope by selecting the repo check box.
        By enabling this OAuth scope, you automatically enable the repo:status, repo_deployment, public_repo, repo:invite, and security_events OAuth scopes.
      2. Enable the write:org and read:org OAuth scope.
      3. Enable the read:audit_log OAuth scope.
    13. Select Generate token.
      Your personal access token generates.
    14. Copy the access token and save it in a secure location for later use.
    15. To use your token to access resources owned by an organization that uses SAML single sign-on, authorize the token.
      For more information, see Authorizing a personal access token for use with SAML single sign-on.

    Create a GitHub Enterprise Cloud integration profile

    Create a GitHub Enterprise Enterprise Cloud integration profile to track software subscriptions and optimize licensing for your GitHub Enterprise Cloud applications.

    Before you begin

    To create a GitHub Enterprise Cloud integration profile, request the Software Asset Management - SaaS License Management plugin (sn_sam_saas_int) from the ServiceNow Store.

    ServiceNow Role required: sam_integrator

    Important:
    You must select the GitHub Spoke check box for this integration while installing optional features on the Application Manager page. For more information about choosing the required SaaS applications, see Request SaaS License Management.

    If you're upgrading from Yokohama or Zurich release, then you must reconfigure your GitHub Enterprise Cloud integration profile.

    About this task

    If you’re using Software Asset Workspace, the option to create the GitHub Cloud integration profile in Core UI is inactive.

    Procedure

    1. Navigate to the integration profile.
      InterfaceAction
      Core UI
      1. Navigate to All > Software Asset > SaaS License > Direct Integration Profiles.
      2. Select New.
      3. Select GitHub Cloud Integration Profile.
      Software Asset Workspace
      1. Navigate to License operations > User Subscriptions > Direct integration profiles.
      2. Select New.
      3. Select GitHub Cloud from the drop-down list.
      4. Select Continue.
    2. On the form, fill in the fields.
      Table 2. Integration Profile form
      Field Description
      Display Name Name of the integration profile. For example, GitHub Cloud Integration.
      Status Status of the integration profile.
      • If you have not published the integration profile, this field is automatically set to Draft.
      • If you have already published the integration profile, this field is automatically set to Published.
      Profile type Type of integration profile.

      This field is automatically set to github_cloud_subscription.
    3. Review the required user roles or API permissions specified in the Vendor configuration field for each process to minimize security risks and optimize SaaS licenses.
      Note:
      For more information, see Minimal user permissions table.
      1. In the Download Subscription Subflow section, verify that the Subflow field is set to GitHub Cloud Download Subscriptions.
        Note:
        The Download subscriptions check box is selected by default and you can't clear it.
        Software Asset Management pulls the members, outside collaborators, pending invitations, and pending outside collaborators to provide a complete view of your GitHub Enterprise Cloud Subscriptions.
        Important:
        To pull pending outside collaborators, enable the sn_sam_saas_int.pull_pending_collaborator_github system property. A higher number of repositories would lead to an increased number of API transactions.
      2. In the Calculate Activity Subflow section, verify that the Subflow field is set to GitHub Cloud Update User Activity.
        Note:
        The Download Activity check box is selected by default. If you clear it, the activity scheduled job SAM - Refresh <displayname> Activity isn't created.
        In the Analyze user activity field, you can also select the date and time starting from when you want to analyze the user activity. By default, you can analyze user activity up to 60 days prior to the current date and view events performed by individual users from the time you create this profile.
        Note:
        Software Asset Management pulls the events from the time that you start analyzing user activity irrespective of the profile creation date.
        You can modify this value in the Last activity threshold field of your software reclamation rules. For more information, see Review a software reclamation rule.
        Tip:
        To avoid performance issues with this subflow, the best approach is to set the Analyze user activity from field to a maximum of seven days before the current date.
      3. In the Reclaim Subscription Subflow section, verify that the Subflow field is set to GitHub Cloud Reclaim Subscription.
        Note:
        The Reclaim subscriptions check box is selected by default. If you don't want to reclaim subscriptions, you can clear this check box. If you clear it, the removal candidates are created but the reclaim subscription subflow isn't triggered or the reclamation process isn't initiated.
    4. Select Save.
      Your ServiceNow instance creates a draft integration profile.

      The Connection & Credential field appears and is automatically set to sn_github_spoke.GitHub.

    5. Open the connection & credential aliases record by selecting the preview icon next to the Connection & Credential field and then selecting Open Record in the record preview.
    6. On the Connection & Credential Aliases form, select the Create New Connection & Credential related link.
    7. In the Create Connection and Credential dialog box, fill in the fields.
      Table 3. Create Connection and Credential dialog box
      Field Description
      Connection Name Name of the GitHub connection.
      Connection URL URL of the GitHub API endpoint.

      Enter https://api.github.com.
      Use MID Server Option that enables your ServiceNow instance to use a MID Server for communication with your GitHub Enterprise Cloud applications.
      • If your instance requires a MID Server, set this field to true.
      • If your instance doesn’t require a MID Server, leave this field empty.
      Important:
      To enable this option, you must already have a MID Server set up on your instance. See MID Server for detailed instructions.
      API Key Personal access token that enables you to access the GitHub Enterprise Cloud API.
      • If the GitHub spoke version installed is 2.2.5 or higher, enter <api-key>.
      • If the GitHub spoke version installed is lower than 2.2.5, enter Bearer <api-key>.
      The <api-key> is the personal access token that you generated in Generate an API access token for GitHub Enterprise Cloud
    8. Select Create.
    9. On the integration profile form, select Validate Connection to verify the connection and credential details of this integration.

      Validating the connection verifies the Download Subscriptions and Calculate Activity APIs, but not the Reclaim Subscriptions APIs.

    10. After the connection is verified, select Publish.
    11. In the Publish Confirmation dialog box, select OK.
      Note:
      If you clear the Download Activity check box after the integration profile is published, you must revalidate the connections and then republish the integration profile because the following events occur:
      • The Status field on the integration profile form changes to Draft.
      • The Validate connection button shows up on the form.
      • The current SAM - Refresh <displayname> Activity job gets deleted.

    What to do next

    After the integration connects, your ServiceNow instance automatically creates software models, reclamation rules, and software subscriptions that are refreshed daily.

    After creating an integration profile, view information about the profile in the Software Asset Workspace by navigating to License operations > User subscription > Direct integration profiles. You can select an integration profile to view the following related lists. If all of the following related lists aren't visible for an integration profile in the default view, you can select the custom integration view from the Details tab:
    • Software Models
    • Unrecognized Subscription Identifiers
    • Scheduled Jobs
    • Scheduled Job Results
    • Software Subscriptions
    • Subscription Identifier Exclusion Rule
    • Subscription User Exclusion Rule

    After creating an integration profile, you can define subscription exclusion rules to keep certain subscriptions from license cost calculations. For more information, see Subscription exclusions for SaaS and SSO applications.

    If you want to set up multiple integration profiles with unique connections, create child aliases to manage different configurations and settings for each integration profile. For more information, see Create a child alias to set up multiple integration profiles.

    Review all automatically generated reclamation rules to reclaim user subscriptions. For more information, see Review a software reclamation rule.

    Create software entitlements for the automatically generated software models to track used software against owned software.
    Reconciliation also runs on your subscriptions as a scheduled job or on-demand. You can view your reconciliation results in the License Workbench (Software Asset Management classic application) or the License usage view (Software Asset Workspace). Use these results to determine your license compliance position and to remediate any non-compliance.