Skip to content

Adding Public Repositories

You can add any public GitHub repository to Mayo ASPM as an asset without installing the GitHub App. This is useful for monitoring open-source dependencies, performing quick security assessments, or evaluating third-party code your team relies on.

Step-by-Step: Adding a Public Repository

Step 1: Navigate to the Assets Page

From the left navigation sidebar, click Assets to open the assets table.

Step 2: Click "Add Asset"

In the top-right corner of the Assets page, click the Add Asset button. This opens the Add Public Repository modal.

Step 3: Paste the GitHub URL

Enter the full GitHub URL of the public repository you want to add. The URL should follow this format:

https://github.com/owner/repository-name

Valid URL Examples

https://github.com/expressjs/express
https://github.com/lodash/lodash
https://github.com/facebook/react

Invalid URLs

The following URL formats are not accepted:

  • URLs with paths beyond the repository root: https://github.com/org/repo/tree/main/src
  • URLs to specific files: https://github.com/org/repo/blob/main/package.json
  • Non-GitHub URLs: https://gitlab.com/org/repo
  • SSH-style URLs: git@github.com:org/repo.git

Step 4: Validation

After you submit the URL, Mayo ASPM performs two validation checks:

Check What It Verifies Error If Failed
Existence check The repository exists on GitHub "Repository not found. Please verify the URL and try again."
Visibility check The repository is publicly accessible "This repository is private. Only public repositories can be added manually. Use the GitHub App integration for private repos."

Validation typically completes in 1-2 seconds.

Step 5: Asset Creation

Once validation passes, Mayo ASPM automatically:

  1. Creates the asset with the repository's metadata (name, owner, default branch, description)
  2. Creates an auto-project — A project is automatically generated with the same name as the repository, and the new asset is assigned to it
  3. Sets the asset to active — The asset is immediately available for scanning

You will see a success notification and the new asset will appear in your assets table.

What Gets Created

When you add a public repository, Mayo ASPM creates two entities:

The Asset

The asset record captures:

  • Repository name — The full owner/repo identifier
  • Type — Set to Public
  • Default branch — Automatically detected from the repository (e.g., main)
  • Active status — Enabled by default
  • Organization — Assigned to your Mayo ASPM organization

The Auto-Project

An auto-project is automatically created so your new asset has an organizational home:

  • Project name — Matches the repository name
  • Project type — Tagged as auto-created
  • Assets — Contains the newly added asset

Organizing Public Assets

After adding a public repository, you can assign the asset to an existing project. For example, you might create a project called "Third-Party Dependencies" and move all your public assets there for easier management.

Limitations vs. Integration Repositories

Public assets provide core scanning functionality but lack some features that require the GitHub App webhook connection:

What Works

  • Ad-hoc scans — Trigger scans manually from the Assets page with any supported scanner
  • Scheduled scans — Public assets are included in nightly scheduled scan runs
  • All scanner types — OpenGrep, Semgrep, Trivy, Grype, and Gitleaks all work on public repos
  • Findings and triage — Full findings management, filtering, and triage workflows
  • OPA policy evaluation — Policies apply to public asset findings the same as integration assets

What Does Not Work

Feature Why It Is Unavailable
PR scanning Requires GitHub App webhooks to detect pull request events. Mayo ASPM cannot receive webhook notifications for repositories where the app is not installed.
Automatic repository sync Integration repos are synced nightly for metadata changes. Public repos retain the metadata captured at the time they were added.
Private repository access Public asset addition only works with publicly accessible repositories. For private repos, install the GitHub App.

Upgrading to Full Integration

If you later install the GitHub App on an organization that contains a public asset you previously added, Mayo ASPM will detect the overlap and upgrade the asset to an integration asset. You will not lose any existing scan data or findings.

Duplicate Detection

Mayo ASPM prevents duplicate assets. If you attempt to add a public repository that already exists in your organization — whether as a public or integration asset — you will see:

This repository already exists in your organization.

The duplicate check uses the full repository identifier (owner/repo-name) regardless of URL casing.

Removing a Public Asset

To remove a public asset:

  1. Navigate to the Assets page
  2. Click the repository name to open the asset detail page
  3. Click the Delete button
  4. Confirm the deletion in the modal

Deletion Is Permanent

Deleting an asset removes all associated scan history and findings. This action cannot be undone. If the asset had findings in an active triage workflow, those findings will also be deleted.

Common Questions

Can I add repositories from GitHub Enterprise? Not at this time. Public asset addition only supports repositories hosted on github.com.

Is there a limit to how many public assets I can add? Yes, the number of total assets (integration + public) is governed by your plan tier. See Pricing & Limits for details.

Do public assets count toward my scan quota? Yes. Scans against public assets consume the same scan quota as integration asset scans.

Can I bulk-add multiple public repositories? Not through the UI currently. To add multiple public repos programmatically, use the Assets API endpoint.