Ctrlk

Add a Project to CodeScan from GitHub Enterprise

CodeScan supports the GitHub App authentication flow across all supported GitHub editions. This article covers the supported editions, the end-to-end authentication flow, and known limitations.

Supported GitHub Editions

GitHub Edition

Should GitHub App be created manually?

Authentication Flow

Guide

GitHub.com (Free / Pro / Team)

No

GitHub App authorization and installation are managed by CodeScan.

Follow these steps

GitHub.com (GitHub Enterprise Cloud) (GHEC)

No

GitHub App authorization and installation are managed by CodeScan.

Follow these steps

GitHub Enterprise Server (GHES) — Self-Hosted

Yes

User should create and configure the GitHub App; GitHub App details to be added in ALM Connections by a CodeScan Admin.

Follow these steps

"GitHub Enterprise Cloud" is the SaaS offering hosted by GitHub.

"GitHub Enterprise Server" is the on-premises / self-hosted appliance.

GitHub Enterprise Cloud Flow

Step-by-Step guide

When attaching a GitHub repository to an analysis project for the first time:

  1. Select GitHub as the source in CodeScan (Add Analysis Project → GitHub):

  1. CodeScan will redirect the user back to GitHub.

  2. On the "Authorize & Install CodeScan GitHub App" screen, pick the account or organization that owns the repository:

  1. This authorizes and installs the CodeScan GitHub App on the chosen account or organization.

  2. GitHub will redirect the user back to CodeScan.

  3. Repositories from the selected account/organization are now available for analysis.

Please make sure to choose the correct account or organization on the first install.

Organization Permission Behavior

Based on the user's permissions, there are two possible scenarios.

Scenario 1: You're an Organization Owner/Admin

If the user attaching the analysis is a CodeScan Admin + GitHub Organization Owner (or has app-install rights enabled by the owner):

  • The GitHub App installation is approved instantly.

  • Authentication completes successfully.

  • Organization repositories become available in CodeScan immediately after authorization.

Scenario 2: You're an Organization Member (Non-Owner)

If the user attaching the analysis is an organization member and does not have permission to install GitHub Apps:

  1. On the install screen, GitHub offers a Request option instead of Install.

  2. The user submits the installation request.

  3. GitHub sends an email notification to the Organization Owner(s).

  4. The Organization Owner must approve the request from either email or manually via GitHub → Organization Settings → GitHub Apps → Pending requests.

  5. After approval, the user should attempt to attach the project again. The authentication completes automatically then and the organization's repositories become available in CodeScan.

Approval is required only once per organization. Once the CodeScan GitHub App is installed on an organization, subsequent users from that organization will not need any further approval; authentication is seamless for them.

Pending Approval / Rejected Scenarios

If a user retries the GitHub authentication flow while their installation request is still awaiting approval (or has been rejected), the following message will be displayed:

This means that your installation request has already been submitted and is waiting for your organization's owner approval. Because you are a member of the organization (not an owner), the request was sent.

To follow up, you can connect with the owner of your organization and ask them to approve it under GitHub → Organization Settings → GitHub Apps → Pending requests. Once approved, return to CodeScan and click Add Analysis Project again. You should be able to connect project successfully now.

This message appears when:

  • The Organization Owner has not yet approved the pending request.

  • The user retries authentication before approval is granted.

  • The Organization Owner has rejected the installation request.

GitHub Enterprise Server (Self-Hosted) Flow (GHES)

For GitHub Enterprise Server (GHES), a GitHub App should be created on the GHES instance and connected to CodeScan via an ALM Connections.

Step-by-Step guide

Before attaching a project in CodeScan, you should:

  • Create a dedicated GitHub App on your GHES instance.

  • Configure the GitHub App with the required permissions, events, and callback URL

  1. Creating the GitHub App on GHES.

On your GHES instance, navigate to Settings → Developer settings → GitHub Apps → New GitHub App, and create the App with the permissions listed here:

GitHub Authentication using GitHub Apps (CodeScan) | AutoRABIT Knowledge Base

  1. Add the ALM Connection in CodeScan.

Navigate to CodeScan → Administration → ALM Integrations → GitHub Enterprise Server → Add Connection, and paste in the App ID, Client ID, Client Secret from the GitHub App you created in Step 1, along with your GHES base URL.

  1. Authenticate and analyze repositories.

Users in your GHES organizations can now navigate to Add Analysis ProjectGitHub and follow the same authentication flow described for GitHub Enterprise Cloud above.

Known limitations

Repository Visibility limitation

This section can be skipped unless your organization has enabled the 'Allow repository admins to install GitHub Apps' setting.

For an organization member to attach a GitHub analysis project, they must have repository admin access on GitHub. This is a GitHub permission requirement.

If your GitHub organization has enabled Allow repository admins to install GitHub Apps for their repositories, Repository admins can directly install the CodeScan GitHub App on the specific repositories they manage.

However, due to a GitHub limitation, repositories outside their administration are not visible during install and remain inaccessible until the Organization Owner explicitly grants access.

PreviousAdd a project to CodeScan from GitHubNextAdd a Project to CodeScan from Bitbucket

Last updated

Was this helpful?