GitHub Application Vulnerability Integration

  • Release version: Zurich
  • Updated April 30, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of GitHub Application Vulnerability Integration

    The GitHub Application Vulnerability Integration enables ServiceNow customers to import and manage security vulnerability data from GitHub repositories into the ServiceNow platform. It supports importing Static Application Security Testing (SAST) and Software Composition Analysis (SCA) alerts, allowing you to view and respond to vulnerabilities detected in your GitHub environment directly within ServiceNow’s Application Vulnerability Response feature. This integration aggregates vulnerability data from multiple GitHub organizations and repositories, making it easier to map third-party vulnerabilities and GitHub alerts to your instance.

    Show full answer Show less

    Key Features

    • Multi-organization Support: Handles multiple GitHub organizations, including on-premise and Enterprise setups, each potentially containing multiple repositories.
    • Integration Components:
      • GitHub Organizations Integration: Imports organization metadata into ServiceNow’s Discovered Organizations table; recommended to run first in Enterprise environments.
      • GitHub Repos Integration: Imports application data from repositories into the Discovered Applications table; can be run independently depending on your environment.
      • GitHub CodeScan Integration: Imports code scanning alerts for security vulnerabilities and coding errors, mapped to SAST results.
      • GitHub Dependabot Integration: Imports dependency vulnerability alerts, mapped to SCA results.
      • GitHub Secret Scanning: Imports detected secrets from code, mapping them to application vulnerable items to assist remediation.
      • GitHub Secret Scanning Location: Adds location and line number data for secrets to help developers quickly find and fix vulnerabilities.
    • SBOM Upload Support: Enables uploading Software Bill of Materials (SBOM) files generated in CI/CD pipelines into the ServiceNow AI Platform for enhanced component security during development.
    • Run-As User Configuration: Integrations run under a configured user (default: VR.System); this should not be changed to ensure proper function.

    Practical Use and Configuration

    Customers typically start by importing organizational data (using GitHub Organizations Integration) followed by repository data (using GitHub Repos Integration), though this order is flexible depending on your setup. Once application data is imported, vulnerability and alert data from scanners can be brought in to populate Application Vulnerability Response with actionable security findings.

    Tags, topics, and custom properties configured in GitHub repositories are imported as key-value pairs, providing additional metadata for your applications within ServiceNow.

    Compatibility and Upgrade Notes

    This integration is compatible with the Zurich release of ServiceNow. For customers planning to migrate to Unified Security Exposure Management (USEM), specific versions and migration guidance are provided to ensure compatibility. It’s important to select the appropriate integration application version based on whether you intend to upgrade to USEM or remain on Vulnerability Response.

    Benefits for ServiceNow Customers

    • Centralizes vulnerability alerts from GitHub into the ServiceNow platform for streamlined security response.
    • Supports comprehensive scanning data types, including SAST, SCA, and secret scanning, enhancing visibility into application security.
    • Facilitates actionable remediation by linking vulnerabilities to exact code locations and metadata.
    • Integrates with ServiceNow AI Platform® to leverage advanced analytics and automation capabilities for vulnerability management.
    • Improves software development lifecycle security by allowing SBOM uploads and monitoring potentially harmful components.

    The GitHub Application Vulnerability Integration imports Static application security testing (SAST) and Software Composition Analysis (SCA) data to help you view vulnerability alerts in the repositories in your GitHub environment.

    GitHub Application Vulnerability Integration

    The GitHub Application Vulnerability Integration collects scanner data and makes that data available to the ServiceNow AI Platform®. It easily integrates with the ServiceNow® Application Vulnerability Response feature of Vulnerability Response to map third-party vulnerabilities and GitHub alerts in your instance.

    The GitHub environment supports multiple organizations. These organizations, both on-premise and Enterprise, might contain various departments, such as Engineering, Quality, Documentation, and so on. Each organization, in turn, can support multiple repositories.

    Generally, you should import organizational data first with the GitHub Organizations Integration and then import data for your repositories with the GitHub Repos Integration so that it imports the repository data for each organization. Running these integrations in this order of execution is not mandatory, however, because your environment might be set up differently.

    After you import your application data with the GitHub Repos Integration, you can import vulnerability and alert data from these repositories. Imported data is processed like an application in the Application Vulnerability Response application. When scanners detect vulnerabilities and generate alerts for the repositories, vulnerabilities are created in Application Vulnerability Response.

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Available versions

    Release version Release notes

    GitHub Application Vulnerability Integration

    Note:

    If you want to use a version of this application that is compatible with Unified Security Exposure Management (USEM), see Migrating from Vulnerability Response to Unified Security Exposure Management (USEM) for more information about USEM and the Unified Security Exposure Management migration.

    If you do not intend to upgrade to Unified Security Exposure Management, install a version that is lower than v30.x of this application and for upgrades to its supported third-party integration applications.

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

    GitHub integrations

    Integration Description and ServiceNow AI Platform® tables Notes
    GitHub Organizations Integration Imports GitHub organization records from GitHub into the Discovered Organizations [sn_vul_discovered_org] table.

    If you want to run this integration using Enterprise mode to import data for all your organizations and repos in an enterprise environment, run this integration before running the other GitHub integrations, because they depend on current organizational data imported from this integration.

    If you want to import only refreshed metadata for your organizations and repos using Organization mode, you don't have to run this integration first.

    For more information about configuring the integrations, see Configure the GitHub Application Vulnerability Integration.
    GitHub Repos Integration Imports all the application data for your GitHub on-premise and Cloud (Enterprise) accounts into the Discovered Applications [sn_vul_app_release] table. The integration imports applications from the repositories you have configured for an Organization (on-premise) or from your Enterprise (Cloud) environment.
    GitHub CodeScan Integration Imports Code scanning vulnerability alerts from GitHub repositories for security vulnerabilities and coding errors into the Discovered Applications [sn_vul_app_release], Application Vulnerability Entry [sn_vul_app_vul_entry], and Application Vulnerable Item [sn_vul_app_vulnerable_item] tables. Imported data is mapped to SAST results in your instance.
    GitHub Dependabot Integration Imports Dependabot alerts for dependencies with known vulnerabilities from repositories into the Discovered Applications [sn_vul_app_release], Package [sn_vul_app_package], Application Vulnerability Entry [sn_vul_app_vul_entry], and Application Vulnerable Item [sn_vul_app_vulnerable_item] tables. Imported data is mapped to SCA results in your instance.
    GitHub Secret Scanning Imports secrets from your organization's code along with the application security testing results into the Discovered Applications [sn_vul_app_release] and Application Vulnerability Entry [sn_vul_app_vul_entry], and Application Vulnerable Item [sn_vul_app_vulnerable_item] tables. The system maps secrets to application vulnerable items (AVITs) with scan type secret and maps generic secrets to AVITs with scan type generic_secret.
    GitHub Secret Scanning Location Imports the location and line numbers for the scanned secrets in your organizations' code into the Application Vulnerable Item [sn_vul_app_vulnerable_item] table. Helps your developers with vulnerability remediation.

    For more details about source fields and mapping in your instance, see Field mapping for the GitHub Application Vulnerability Integration Integrations.

    Uploading SBOM files to the ServiceNow AI Platform® from your GitHub repositories

    Determine if SBOM files generated in your CI/CD (continuous integration and continuous delivery/deployment) pipelines have been successfully queued in your ServiceNow AI Platform® instance.

    • Protect your environments from potentially harmful components during software development cycles with GitHub Actions that you initiate from your GitHub environment.
    • Obtain any required GitHub Actions for SBOM upload in the GitHub Marketplace.

    The SBOM applications are required to upload SBOM files. See Exploring Software Bill of Materials for more information.

    Viewing imported data

    For more details about source fields and mapping in your instance, see Field mapping for the GitHub Application Vulnerability Integration Integrations.

    The Repos Integration imports tags and topics you have configured for a repository in your GitHub account from the Settings menu. Any Custom properties are located on the menu under your Repository. Values you set for the properties are imported as key-value pairs. For more information on where to view this information in your instance, see View the GitHub Application Vulnerability Integration import run status and imported repository data.