Configure the GitHub Application Vulnerability Integration

Release version: Yokohama

Updated April 30, 2026

5 minutes to read

Before you run the integration on your instance, the installation and configuration steps must be completed so the GitHub product properly integrates with Application Vulnerability Response. This application is available as a separate subscription.

Before you begin

Roles required:

App-Sec Manager user group
sn_vul.app_sec_manager required for OAuth set up

Procedure

Navigate to All > Github Vulnerability Integration > Configuration.
Choose either Basic Authentication or OAuth for Authentication type.
- Basic authentication requires a MID Server for on-premise instances. Generate the API token required for Basic authentication from your GitHub account.
- OAuth requires the OAuth App, credential, and connection setup described in Creating OAuth 2.0 credentials for GitHub Apps - JWT for the GitHub Application Vulnerability Integration.

Fill in the fields based on the type you choose.

If you select Basic Authentication.


Field	Description
API URL	The appropriate GitHub API URL for Enterprise or on-premise. The default URL is https://api.github.com. On-premise is your GitHub endpoint URL.
API Token	Token you generated from your GitHub console.
API Type	Choose one: Organization Choose this option if you want to import data for a specific organization by name. The GitHub environment supports multiple organizations. Each organization can support multiple repositories. If you enter an organization, only data from that organization is imported. Enterprise The Enterprise environment supports multiple organizations. Choose this option if you want to import vulnerability data from all the organizations in your Enterprise (Cloud) environment.
Enterprise Name (If you select Enterprise for the API type).	Name of your enterprise environment. Your environments might support more than one organization. In Enterprise mode (api_type = 2), the Organizations Integration must run first, because it lists by /enterprises/{enterprise_name}/orgs and Repos, then fans out across every organization that is returned. The Application Vulnerability Response (AVR) scheduler handles this action automatically by default. Note: There is rollover hint displayed for the Enterprise Name field to help clarify this value: `The name of the enterprise as found within the GitHub console. This field is not used in credential validation.`
Organisation Name (If you select Organization for the API type).	Name of your GitHub Repository. Only data from the organization you enter is imported. In Organization mode (api_type = 1), the Repos Integration imports by /orgs/{organisation_name}/repos directly, and the Organizations Integration runs only as a metadata refresh and run-order does not matter.
MID Server	For on-premise instances for Basic Authentication, a MID Server is required.
Manage generic secrets in ServiceNow	Activate this option to import generic secrets along with normal secrets for application vulnerable items (AVIs).
Select options to manage Exception management and False positives.	Select options to manage Exception management and False positive for applications vulnerable items (AVIs) with ServiceNow workflows automatically upon import. Manage exceptions in ServiceNow Leave this option activated if you want to triage imported AVIs marked for the Deferred state. AVIs with Source states that normally are mapped to a Deferred state in your instance are instead mapped to Open. You Request an exception from the AVI record. Manage false positives in ServiceNow Leave this option activated if you want to triage imported AVIs with Source states marked as False Positive or Potential False Positive. AVIs with these Source states that normally are mapped to a Closed state in your instance are mapped to Open. You request a False positive from the AVI record. Deactivate one or both check boxes if you want to preserve the Source states imported from your scanner. If deactivated, the Request exception and False Positive actions are not visible on AVIs.
Integration Instance	Instance into which you are importing data.

If you select OAuth.


Field	Description
API URL	The appropriate GitHub API URL for Enterprise or on-premise. The default URL is https://api.github.com. On-premise is your GitHub endpoint URL.
Connection	The connection you created described in Creating OAuth 2.0 credentials for GitHub Apps - JWT for the GitHub Application Vulnerability Integration.
API Type	Read-only Note: The Enterprise API type is not supported as a GitHub Apps authentication method when Oauth is selected. Choose one:
Organisation Name	Organization name for your GitHub repositories. Only data from the repositories in the organization you enter is imported.
Manage generic secrets in ServiceNow	Activate this option to import generic secrets along with normal secrets for application vulnerable items (AVIs).
Select options to manage Exception management and False positives.	Select options to manage Exception management and False positive for applications vulnerable items (AVIs) with ServiceNow workflows automatically upon import. Manage exceptions in ServiceNow Leave this option activated if you want to triage imported AVIs marked for the Deferred state. AVIs with Source states that normally are mapped to a Deferred state in your instance are instead mapped to Open. You Request an exception from the AVI record. Manage false positives in ServiceNow Leave this option activated if you want to triage imported AVIs with Source states marked as False Positive or Potential False Positive. AVIs with these Source states that normally are mapped to a Closed state in your instance are mapped to Open. You request a False positive from the AVI record. Deactivate one or both check boxes if you want to preserve the Source states imported from your scanner. If deactivated, the Request exception and False Positive actions are not visible on AVIs.

Select Save and Test credentials.

Note:
Before you run any integration, verify that the scheduled script "Mark scantype to generic secret" has completed successfully. This script is configured to run every 5 minutes until it completes. After it completes, confirm that its run setting is set to On Demand. If it is not, check the system logs for errors.

Depending on what you selected for API type, choose one.

Option	Description
If you chose the Enterprise API type, run the GitHub Organizations Integration before running the other integrations.	You should run the Organizations Integration first to import all organizations under an enterprise (if applicable) and then run the Repos Integration before running the other integrations. The other GitHub integrations depend on current application data imported from the Repos Integration.
If you chose the Organisation API type, run the GitHub Repos Integration before running the other integrations.	The other GitHub integrations depend on current application data imported from the Repos Integration.

The integrations are activated by default. You can deactivate integrations and schedule the integration runs from the integration records.

To schedule integrations and set start times or deactivate them, navigate to All > GitHub Vulnerability Integration > Integrations.
Select a link in the Name column to open a record and set start times.
You can select the next integration you want to run after the successful completion of the integration you're editing. To launch the integration on-demand select Execute Now.
Optional: See View the GitHub Application Vulnerability Integration import run status and imported repository data for more information.