Home Integrations GitHub Integration User Guide

GitHub Integration User Guide

Last updated on Dec 19, 2025

Humadroid Compliance Platform

Overview

Humadroid's GitHub integration automatically collects compliance evidence from your GitHub organization. Once connected, it continuously monitors your organization's security settings, access controls, and code security features, gathering evidence that satisfies controls for SOC 2 and ISO 27001 compliance frameworks.

Key Benefits

  • Automated evidence collection - No more manual screenshots or exports

  • Compliance-focused collection - Evidence collected on schedule (weekly or monthly)

  • Auto-verification - Most evidence sources are automatically checked against compliance rules

  • Multi-framework support - Single integration satisfies controls across SOC 2 and ISO 27001

Security Model

  • Read-only access - Humadroid cannot modify your GitHub organization or repositories

  • GitHub App authentication - Secure, fine-grained permissions per repository

  • Installation tokens - Short-lived tokens (1 hour) instead of persistent OAuth tokens

  • External ID protection - Unique installation ID prevents unauthorized access

  • Full audit trail - All API calls can be tracked in GitHub's audit log (Enterprise)

Evidence Sources

The GitHub integration collects 12 distinct evidence types across four categories:

Organization & Access Management

Organization 2FA Status

  • Description: Verifies 2FA is required and enabled for all organization members

  • Frequency: Monthly

  • Auto-Verify: Yes

Organization Members

  • Description: Lists all organization members with roles and activity

  • Frequency: Monthly

  • Auto-Verify: No

Team Permissions

  • Description: Documents team membership and repository access

  • Frequency: Monthly

  • Auto-Verify: No

Outside Collaborators

  • Description: Lists external users with repository access

  • Frequency: Monthly

  • Auto-Verify: Yes

Repository Security

Branch Protection Rules

  • Description: Collects branch protection settings for all repositories

  • Frequency: Monthly

  • Auto-Verify: Yes

Repository Visibility

  • Description: Inventories repository visibility (public/private/internal)

  • Frequency: Monthly

  • Auto-Verify: Yes

Required Reviews

  • Description: Collects pull request review requirements by repository

  • Frequency: Monthly

  • Auto-Verify: Yes

Deploy Keys

  • Description: Audits SSH deploy keys across repositories

  • Frequency: Monthly

  • Auto-Verify: Yes

Security Scanning

Secret Scanning

  • Description: Verifies secret scanning is enabled and checks for alerts

  • Frequency: Monthly

  • Auto-Verify: Yes

Dependabot Alerts

  • Description: Collects Dependabot configuration and vulnerability alerts

  • Frequency: Monthly

  • Auto-Verify: Yes

Code Scanning

  • Description: Verifies CodeQL/code scanning is enabled and checks findings

  • Frequency: Monthly

  • Auto-Verify: Yes

Audit & Logging

Audit Log

  • Description: Collects organization audit log events (Enterprise only)

  • Frequency: Monthly

  • Auto-Verify: No

SOC 2 Control Coverage

The GitHub integration provides evidence for the following SOC 2 (2017) Trust Services Criteria:

CC6 - Logical and Physical Access Controls

CC6.1 - Logical Access Security

The entity implements logical access security software, infrastructure, and architectures to protect information assets

  • Organization 2FA Status - Multi-factor authentication is required for all members

  • Organization Members - Complete inventory of users with access

  • Team Permissions - Access is organized through teams with defined permissions

CC6.2 - User Registration and Authorization

Prior to issuing system credentials and granting access, the entity registers and authorizes new users

  • Organization Members - Complete inventory of all registered users

  • Outside Collaborators - External users are tracked and authorized

CC6.3 - Removal of Access Rights

The entity removes credentials and disables system access when no longer required

  • Audit Log - Access changes are logged (Enterprise)

  • Organization Members - Current membership can be compared over time

CC6.6 - Logical Access Security Measures

The entity implements controls to prevent or detect and act upon unauthorized logical access

  • Branch Protection Rules - Code access is controlled through branch protection

  • Repository Visibility - Repositories are properly classified (public/private)

  • Deploy Keys - SSH keys for automated access are tracked

CC7 - System Operations

CC7.1 - Security Monitoring

The entity monitors system components for anomalies and security events

  • Secret Scanning - Leaked secrets are detected automatically

  • Dependabot Alerts - Vulnerable dependencies are identified

  • Code Scanning - Security vulnerabilities in code are detected

CC7.2 - Security Event Logging

The entity identifies and logs security events

  • Audit Log - Security-relevant events are logged (Enterprise)

CC7.3 - Security Incident Response

The entity evaluates security events and responds to identified incidents

  • Secret Scanning - Leaked secrets are identified for remediation

  • Dependabot Alerts - Vulnerabilities are tracked for response

  • Code Scanning - Code security issues are tracked for resolution

CC8 - Change Management

CC8.1 - Change Management

The entity authorizes, documents, and controls infrastructure changes

  • Branch Protection Rules - Code changes require specific workflows

  • Required Reviews - Changes require peer review before merge

  • Code Scanning - Automated security validation of changes

ISO 27001:2022 Control Coverage

The GitHub integration provides evidence for the following ISO 27001:2022 Annex A controls:

A.5 - Organizational Controls

A.5.15 - Access Control

Rules to control physical and logical access to information and other associated assets shall be established and implemented

  • Organization 2FA Status - Strong authentication is enforced

  • Organization Members - Access is granted to authorized users

  • Team Permissions - Access is organized through teams

A.5.16 - Identity Management

The full life cycle of identities shall be managed

  • Organization Members - Complete inventory of identities

A.5.17 - Authentication Information

Allocation and management of authentication information shall be controlled

  • Organization 2FA Status - 2FA is properly configured

A.5.18 - Access Rights

Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed

  • Audit Log - Access changes are logged (Enterprise)

  • Outside Collaborators - External access is tracked

  • Team Permissions - Team-based access is documented

A.8 - Technological Controls

A.8.3 - Information Access Restriction

Access to information and other associated assets shall be restricted

  • Branch Protection Rules - Code access is restricted

  • Repository Visibility - Data exposure is controlled

A.8.9 - Configuration Management

Configurations shall be established, documented, implemented, monitored and reviewed

  • Branch Protection Rules - Security configurations are documented

A.8.12 - Data Leakage Prevention

Data leakage prevention measures shall be applied

  • Secret Scanning - Secrets in code are detected

  • Repository Visibility - Public exposure is monitored

  • Dependabot Alerts - Vulnerable code is identified

A.8.15 - Logging

Logs that record activities shall be produced, stored, protected and analysed

  • Audit Log - Organization activity is logged (Enterprise)

A.8.16 - Monitoring Activities

Networks, systems and applications shall be monitored for anomalous behaviour

  • Secret Scanning - Secret leakage is monitored

  • Dependabot Alerts - Vulnerability alerts are monitored

  • Code Scanning - Code security is continuously monitored

A.8.25 - Secure Development Life Cycle

Rules for the secure development of software and systems shall be established and applied

  • Branch Protection Rules - Development workflows are enforced

  • Required Reviews - Code review is required

  • Code Scanning - Security testing is automated

A.8.28 - Secure Coding

Secure coding principles shall be applied to software development

  • Code Scanning - Security vulnerabilities are detected

  • Dependabot Alerts - Insecure dependencies are identified

  • Secret Scanning - Hardcoded secrets are detected

A.8.31 - Separation of Development, Test and Production Environments

Development, testing and production environments shall be separated and secured

  • Branch Protection Rules - Branch policies enforce environment separation

  • Repository Visibility - Repository access is properly segmented

Verification Rules

Auto-verified evidence sources are checked against the following compliance thresholds:

Organization 2FA Status

  • 2FA required for organization: Required

  • Member 2FA coverage: 100%

  • Maximum organization owners: 5 (configurable)

Branch Protection

  • Default branch protected: 100% (for applicable repos)

  • Require pull requests: Required

  • Required approving reviews: 1+

  • Dismiss stale reviews: Recommended

  • Enforce on administrators: Recommended

  • Require status checks: Recommended

Repository Visibility

  • Allow public repositories: No (configurable)

  • Maximum public repositories: 0 (configurable)

Required Reviews

  • Reviews required coverage: 100%

  • Minimum reviewers: 1

Secret Scanning

  • Secret scanning enabled: 100%

  • Push protection enabled: Recommended

  • Maximum open alerts: 0

Dependabot

  • Dependabot enabled: 100%

  • Maximum critical alerts: 0

  • Maximum high alerts: 0 (configurable)

  • Auto security updates: Recommended

Code Scanning

  • Code scanning enabled: 80% (configurable)

  • Maximum critical alerts: 0

  • Maximum high alerts: 0 (configurable)

Deploy Keys

  • Maximum key age: 90 days (configurable)

  • Read-only keys preferred: Recommended

Outside Collaborators

  • Maximum collaborators with admin: 0

  • All collaborators documented: Required

Summary: Control Coverage Matrix

SOC 2 Controls by Evidence Source

Organization 2FA Status

  • CC6.1: Yes

Organization Members

  • CC6.1: Yes

  • CC6.2: Yes

  • CC6.3: Yes

Team Permissions

  • CC6.1: Yes

Outside Collaborators

  • CC6.2: Yes

Branch Protection

  • CC6.6: Yes

  • CC8.1: Yes

Repository Visibility

  • CC6.6: Yes

Required Reviews

  • CC8.1: Yes

Deploy Keys

  • CC6.6: Yes

Secret Scanning

  • CC7.1: Yes

  • CC7.3: Yes

Dependabot Alerts

  • CC7.1: Yes

  • CC7.3: Yes

Code Scanning

  • CC7.1: Yes

  • CC7.3: Yes

  • CC8.1: Yes

Audit Log

  • CC6.3: Yes

  • CC7.2: Yes

ISO 27001 Controls by Evidence Source

Organization 2FA Status

  • A.5.15: Yes

  • A.5.17: Yes

Organization Members

  • A.5.15: Yes

  • A.5.16: Yes

Team Permissions

  • A.5.15: Yes

  • A.5.18: Yes

Outside Collaborators

  • A.5.18: Yes

Branch Protection

  • A.8.3: Yes

  • A.8.9: Yes

  • A.8.25: Yes

  • A.8.31: Yes

Repository Visibility

  • A.8.3: Yes

  • A.8.12: Yes

  • A.8.31: Yes

Required Reviews

  • A.8.25: Yes

Deploy Keys

  • (No specific ISO 27001 controls mapped)

Secret Scanning

  • A.8.12: Yes

  • A.8.16: Yes

  • A.8.28: Yes

Dependabot Alerts

  • A.8.12: Yes

  • A.8.16: Yes

  • A.8.28: Yes

Code Scanning

  • A.8.16: Yes

  • A.8.25: Yes

  • A.8.28: Yes

Audit Log

  • A.5.18: Yes

  • A.8.15: Yes

Getting Started

To set up the GitHub integration:

  1. Navigate to Settings > Integrations > GitHub

  2. Click Install GitHub App

  3. Select your GitHub organization

  4. Choose repository access (all repositories recommended)

  5. Approve the permissions

  6. Enable evidence sources for your compliance controls

For detailed setup instructions, see the GitHub App Setup Guide.

GitHub Permissions Required

The integration uses a GitHub App with the following permissions:

Repository Permissions (Read-only)

Administration

  • Description: Branch protection, settings

  • Used For: Branch protection rules, repo configuration

Metadata

  • Description: Basic repository information

  • Used For: Repository listing (auto-granted)

Secret scanning alerts

  • Description: View secret scanning alerts

  • Used For: Secret scanning status and alerts

Dependabot alerts

  • Description: View Dependabot alerts

  • Used For: Vulnerability monitoring

Code scanning alerts

  • Description: View code scanning alerts

  • Used For: CodeQL and security findings

Organization Permissions (Read-only)

Members

  • Description: Organization membership

  • Used For: Member listing, 2FA status

Administration

  • Description: Organization settings

  • Used For: 2FA requirement, org configuration

GitHub Plan Feature Matrix

Free Plan

  • Organization 2FA enforcement: Yes

  • Branch protection: Yes

  • Required reviews: Yes

  • Secret scanning (public repos): Yes

  • Secret scanning (private repos): No

  • Push protection: No

  • Dependabot alerts: Yes

  • Code scanning: Yes

  • Audit log (web UI): No

  • Audit log (API): No

  • IP allow lists: No

  • SAML SSO: No

Team Plan

  • Organization 2FA enforcement: Yes

  • Branch protection: Yes

  • Required reviews: Yes

  • Secret scanning (public repos): Yes

  • Secret scanning (private repos): Yes*

  • Push protection: Yes*

  • Dependabot alerts: Yes

  • Code scanning: Yes

  • Audit log (web UI): Yes

  • Audit log (API): No

  • IP allow lists: No

  • SAML SSO: No

*Requires GitHub Advanced Security add-on

Enterprise Plan

  • Organization 2FA enforcement: Yes

  • Branch protection: Yes

  • Required reviews: Yes

  • Secret scanning (public repos): Yes

  • Secret scanning (private repos): Yes

  • Push protection: Yes

  • Dependabot alerts: Yes

  • Code scanning: Yes

  • Audit log (web UI): Yes

  • Audit log (API): Yes

  • IP allow lists: Yes

  • SAML SSO: Yes

Support

If you need help with your GitHub integration: