GitHub Integration¶
Mayo ASPM integrates with GitHub through a GitHub App. The app provides repository discovery, code access for scanning, webhook events for real-time PR scanning, and check run reporting.
Installing the GitHub App¶
- Navigate to Settings > Integrations > GitHub.
- Click Install GitHub App.
- You are redirected to GitHub to authorize the app.
- Select the organization where you want to install the app.
- Choose repository access:
- All repositories — Mayo ASPM can see and scan every repo in the org
- Select repositories — choose specific repos
- Click Install.
- You are redirected back to Mayo ASPM with a success message.
Start with select repositories
You can always add more repositories later. Starting with a subset lets you validate the integration before scaling up.
Permissions¶
The Mayo ASPM GitHub App requests the following permissions:
| Permission | Level | Purpose |
|---|---|---|
| Repository contents | Read | Clone code for scanning |
| Repository metadata | Read | Discover repos, languages, topics |
| Pull requests | Read | Receive PR events for PR scanning |
| Checks | Write | Post check run results (pass/fail) |
| Commit statuses | Write | Post commit status indicators |
| Issues | Write | Post PR comments with scan results |
| Webhooks | Read/Write | Receive push, PR, and installation events |
No write access to code
Mayo ASPM never writes to your repository contents. Code access is read-only for scanning purposes.
Webhook events¶
The GitHub App subscribes to the following webhook events:
| Event | Trigger | Mayo ASPM action |
|---|---|---|
installation |
App installed or uninstalled | Update connected repos |
installation_repositories |
Repos added/removed from app | Sync repository list |
push |
Code pushed to a branch | Trigger scan (if configured) |
pull_request |
PR opened, updated, or closed | Trigger PR scan |
pull_request_review |
PR review submitted | (informational) |
Repository sync¶
After installation, Mayo ASPM automatically syncs your repository list:
- Repository name and metadata (language, topics, visibility)
- Default branch name
- Last commit date
Sync runs automatically when webhooks arrive and can be manually triggered from Settings > Integrations > GitHub > Sync Now.
What shows up in Mayo ASPM¶
Each synced repository appears as an asset in Mayo ASPM. Assets are organized into projects based on your project policies or auto-project rules.
Scanning repositories¶
Once connected, you can scan any synced repository:
- Navigate to Assets and select a repository.
- Click Scan Now.
- Choose the scanners to run:
- SCA (Grype, Trivy) — dependency vulnerabilities
- SAST (Semgrep) — code-level vulnerabilities
- Secrets (Gitleaks) — exposed secrets and credentials
- Container (Trivy) — container image vulnerabilities
- Click Start Scan.
How scanning works
Mayo ASPM clones the repository's default branch into a secure, ephemeral environment, runs the selected scanners, ingests the results, and then deletes the clone. Your code is never stored persistently.
PR scanning¶
When a pull request is opened or updated:
- Mayo ASPM receives the
pull_requestwebhook event. - A differential scan runs on the PR branch vs. the base branch.
- Results are evaluated against your PR scan policies.
- A GitHub check run is created (pass or fail).
- Optionally, a PR comment is posted with finding details.
Enabling PR scanning¶
- Go to Settings > Integrations > GitHub > PR Scanning.
- Toggle Enable PR scanning.
- Select which scanners to run on PRs (recommendation: SAST + Secrets for speed).
- Choose the comment style:
- Summary comment — one comment with a finding count
- Inline annotations — comments on specific lines
- Both — summary plus inline
Managing repository access¶
Adding repositories¶
- Go to Settings > Integrations > GitHub.
- Click Manage repositories on GitHub.
- Add repositories to the GitHub App installation.
- Return to Mayo ASPM and click Sync Now.
Removing repositories¶
Remove a repository from the GitHub App installation to stop scanning:
- Click Manage repositories on GitHub.
- Deselect the repository.
- The asset remains in Mayo ASPM with its history, but no new scans will run.
Troubleshooting¶
| Issue | Solution |
|---|---|
| Repos not appearing | Click Sync Now; check app installation includes the repos |
| Webhooks not arriving | Verify webhook URL in GitHub App settings; check for delivery failures |
| Clone fails | Ensure the app has read access to repository contents |
| Check run not posting | Verify the app has Checks: Write permission |
| PR comment not posting | Verify the app has Issues: Write permission |
For more, see Integration troubleshooting.
Security¶
- Private key custody — the GitHub App private key is stored encrypted in Mayo ASPM's backend. It is used to generate short-lived installation tokens for API calls.
- Token expiry — installation access tokens expire after 1 hour and are not stored.
- Code access — repositories are cloned into ephemeral containers and deleted after scanning.
- Audit log — all GitHub API calls are logged in your organization's audit trail.
Next steps¶
- PR scanning strategy — best practices for PR gates
- PR scan policies — configure pass/fail rules
- Scanner comparison — choose the right scanners