>
    Strata Copilot
    Onboard a GitHub Enterprise App to SSPM
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Onboard SaaS Apps Supported by SSPM
    4. Onboard a GitHub Enterprise App to SSPM
    Download PDF
    SaaS Security

    Onboard a GitHub Enterprise App to SSPM

    Table of Contents

    Onboard a GitHub Enterprise App to SSPM

    Connect a GitHub Enterprise instance to SSPM to detect posture risks.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • SaaS Security Posture Management license
    Or any of the following licenses that include the Data Security license:
    • CASB-X
    • CASB-PA
    To detect posture risks in your GitHub Enterprise instance, SSPM connects to the instance by using information that you provide. Once SSPM connects, it scans the GitHub Enterprise instance for misconfigured settings and will continue to run configuration scans at regular intervals.
    For visibility into GitHub Enterprise account risks, you must also onboard GitHub Enterprise for identity scans. This onboarding process is separate from the onboarding process for GitHub Enterprise configuration scans.
    For configuration scans, you can onboard a GitHub Enterprise app by using OAuth 2.0 authorization or by providing SSPM with login credentials.
    If you onboard GitHub Enterprise by using OAuth 2.0, SSPM connects to a GitHub Enterprise API and uses the API to scan your GitHub Enterprise instance. During onboarding, SSPM redirects you to log in to GitHub Enterprise to grant SSPM access to the API scopes that it requires.
    Alternatively, you can onboard GitHub Enterprise by providing administrator login credentials to SSPM. In this case, SSPM completes its scans by using data extraction techniques (also known as web scraping). If you onboard by provided SPSM with login credentials, the administrator account must be configured for multi-factor authentication (MFA) using one-time passcodes.

    Onboard a GitHub Enterprise App to SSPM Using OAuth 2.0

    Connect a GitHub Enterprise instance to SSPM to detect posture risks.
    For SSPM to detect posture risks in your GitHub Enterprise instance, you must onboard your GitHub Enterprise instance to SSPM. Through the onboarding process, SSPM connects to a GitHub API and, through the API, scans your GitHub Enterprise instance for misconfigured settings. If there are misconfigured settings, SSPM suggests a remediation action based on best practices.
    SSPM gets access to your GitHub Enterprise instance through OAuth 2.0 authorization. During the onboarding process, you are prompted to log in to GitHub Enterprise and to grant SSPM the access it requires.
    To onboard your GitHub Enterprise instance, you complete the following actions:
    1. Identify the Administrator Account for Granting SSPM Access
      During the onboarding process, SSPM will redirect you to log in to GitHub Enterprise. After you log in, GitHub Enterprise will prompt you to grant SSPM the access it needs to your GitHub Enterprise instance.
      1. Verify that your account has the permissions that SSPM will require.
        Required Permissions: To grant SSPM the access that it requires, you must log in as an Enterprise Owner or Organization Owner. If you want SSPM to scan multiple organizations, the account must have Owner permissions for all the organizations.
        After SSPM establishes the connection, it will perform an initial scan of your GitHub Enterprise instance, and will then run scans at regular intervals. For SSPM to run these scans, the administrator account that you use to establish the initial connection must remain available. For this reason, we recommend that you use a dedicated service account to grant SSPM access. If you delete the service account, the scans will fail and you will need to onboard GitHub Enterprise again.
      2. Sign out of all GitHub Enterprise accounts.
        Signing out of all GitHub Enterprise accounts helps ensure that you sign in under the correct account during the onboarding process. Some browsers can automatically sign you in by using saved credentials. To ensure that the browser does not automatically sign you in to the wrong account, you can turn off any automatic sign-in option or clear your saved credentials. Alternatively, you can prevent the browser from using saved credentials by opening the Cloud Management Console in an incognito window.
    2. Connect SSPM to Your GitHub Enterprise Instance
      By adding a GitHub Enterprise app in SSPM, you enable SSPM to connect to your GitHub Enterprise instance.
      1. Log in to Strata Cloud Manager.
      2. Select ConfigurationSaaS SecurityPosture SecurityApplicationsAdd Application and click the GitHub Enterprise Beta tile.
      3. On the Posture Security tab, Add New instance.
      4. Log in with Credentials.
      5. Connect.
        SSPM redirects you to the GitHub Enterprise login page.
      6. Enter the credentials for the administrator account that you identified earlier, and log in to GitHub Enterprise.
        GitHub Enterprise displays a consent form that details the access permissions that SSPM requires.
      7. Review the consent form and allow access.

    Onboard a GitHub Enterprise App to SSPM Using Login Credentials

    Connect a GitHub Enterprise instance to SSPM to detect posture risks.
    For SSPM to detect posture risks in your GitHub Enterprise instance, you must onboard your GitHub Enterprise instance to SSPM. Through the onboarding process, SSPM logs in to GitHub Enterprise using administrator account credentials. SSPM uses this account to scan your GitHub Enterprise instance for misconfigured settings. If there are misconfigured settings, SSPM suggests a remediation action based on best practices.
    The GitHub Enterprise administrator account must be configured for multi-factor authentication (MFA), which adds an extra layer of security by requiring a one-time passcode to access the account.
    To onboard your GitHub Enterprise instance, you complete the following actions:
    1. Collect Information for Connecting to Your GitHub Enterprise Instance.
      To access your GitHub Enterprise instance, SSPM requires the following information, which you will specify during the onboarding process.
      ItemDescription
      UsernameThe username of a GitHub administrator.
      (Required Permissions) The administrator must be assigned to the Enterprise Owner role.
      PasswordThe password for the GitHub administrator.
      MFA Secret KeyA key that is used to generate one-time passcodes for multi-factor authentication.
      Organization nameThe name of the GitHub Enterprises organization that SSPM will scan for misconfigured settings.
      As you complete the following steps, make note of the values of the items described in the preceding table. You will need to enter these values during onboarding to access your GitHub Enterprise instance from SSPM.
      1. Identify the GitHub administrator account that SSPM will use to access your GitHub Enterprise instance.
        (Required Permissions) The account must be assigned to the Enterprise Owner role. SSPM needs this level of access to monitor your GitHub Enterprise organization.
      2. Generate and copy an MFA secret key.
        The GitHub Enterprise account must be configured for MFA that requires a time-based one-time passcode (TOTP). TOTPs are generated from authenticator apps such as Microsoft Authenticator by using an MFA secret key. The key is a shared secret between GitHub Enterprise and the authenticator app for generating matching passcodes for verification. Like an authenticator app, SSPM will use the MFA secret key for passcode generation.
        1. Decide which authenticator app you will use and download it to your cellphone. You can use any authenticator app that supports TOTP generation.
        2. Log in to the GitHub administrator account.
        3. Navigate to your profile settings. To navigate to your profile settings, locate your profile icon in the upper-right corner of the page and select <profile-icon> Settings.
        4. From the left navigation pane, select Password and authentication.
        5. Enable two-factor authentication.
        6. On the Two-factor authentication setup page, select the option to Set up using an app.
        7. Follow the onscreen instructions for setting up the authenticator app, but, when the onscreen instructions display a QR code that contains the MFA secret key, don't scan the QR code with your authenticator app. Instead, display the setup key for manual configuration. The setup key is your MFA secret key.
        8. Copy the MFA secret key and paste it into a text file.
          Do not continue to the next step unless you have copied the MFA secret key. You will provide this key to SSPM during the onboarding process.
        9. Continue configuring your authenticator app by scanning the QR code or by manually entering the MFA key. Complete any remaining configuration steps by following the onscreen instructions.
      3. Identify the GitHub Enterprise organization to scan.
        Using GitHub Enterprise, you can manage a single organization or multiple organizations. During onboarding, SSPM prompts you for the name of the organization to scan. If you want to scan multiple organizations, you can onboard each one separately. To view the organizations in your GitHub Enterprise, navigate to your organizations page. To navigate to your organizations page in GitHub Enterprise, locate your profile icon in the upper-right corner of the page and select <profile-icon> Your organizations.
    2. Connect SSPM to Your GitHub Enterprise Instance.
      By adding a GitHub Enterprise app in SSPM, you enable SSPM to connect to your GitHub Enterprise instance.
      1. Log in to Strata Cloud Manager.
      2. Select ConfigurationSaaS SecurityPosture SecurityApplicationsAdd Application and click the GitHub Enterprise tile.
      3. On the Posture Security tab, Add New instance.
      4. Log in with Credentials.
      5. Enter the user credentials, MFA secret key, and the name of the organization that you want SSPM to scan.
      6. Connect.

    Onboard GitHub Enterprise for Identity Scans

    Learn how to connect a GitHub Enterprise instance to SSPM for identity account scans.
    For visibility into GitHub Enterprise account risks, you must onboard GitHub Enterprise for identity scans. This onboarding process is separate from the onboarding process for GitHub Enterprise configuration scans. Unlike other apps that SSPM supports for identity account scans, the onboarding steps for configuration scans will not enable SSPM to detect account risks. The normal onboarding steps can enable scans that detect MFA issues, but cannot enable the scans that detect issues with GitHub Enterprise accounts.
    SSPM gets access to identity information for your GitHub Enterprise instance through a GitHub App (PANW-SSPM-IDENTITY). During onboarding for identity scans, SSPM prompts you to log into your GitLab Enterprise instance as an administrator. After you log in, GitHub Enterprise prompts you to select an organization that you manage. GitHub Enterprise then prompts you to install and grant permissions to the PANW-SSPM-IDENTITY GitHub App. The permissions will enable SSPM to scan member and audit log information to identify account risks.
    By following these steps, you can onboard only one organization. If you want SSPM to perform identity scans for multiple organizations, you can onboard each organization separately. When you later view account risks for your GitHub Enterprise instance, the Identity Security dashboard will show information for all of the organizations that you onboarded.
    1. Identify the GitHub Enterprise administrator account for granting SSPM access.
      Required Permissions: To grant SSPM the access that it requires, you must log in with an administrator account that has permission to the GitHub organization that SSPM will scan.
      After SSPM establishes the connection, it will run scans (Non-Human Identity Scans and Risky Account Scans) to detect issues with accounts for your GitHub Enterprise instance. SSPM will then run these scans at regular intervals. For SSPM to run these scans, the GitHub Enterprise account that you use to establish the initial connection must remain available. For this reason, we recommend that you use a dedicated service account to grant SSPM access. If you delete the service account, or uninstall the the PANW-SSPM-IDENTITY GitHub App, the scans will fail and you will need to onboard GitHub Enterprise for identity scans again.
    2. Sign out of all GitHub Enterprise accounts.
      Signing out of all GitHub Enterprise accounts helps ensure that you sign in under the correct account during the onboarding process. Some browsers can automatically sign you in by using saved credentials. To ensure that the browser does not automatically sign you in to the wrong account, you can turn off any automatic sign-in option or clear your saved credentials. Alternatively, you can prevent the browser from using saved credentials by opening the Cloud Management Console in an incognito window.
    3. Connect to your Github Enterprise instance and enable identity scans.
      1. Log in to Strata Cloud Manager.
      2. Select ConfigurationSaaS SecurityPosture SecurityIdentity and Add Provider.
      3. Click the Github Enterprise Identity tile, and Add New instance.
      4. Log in with Credentials.
      5. Connect.
        SSPM redirects you to the Github Enterprise login page.
      6. Enter the credentials for the administrator account that you identified earlier, and log in to GitHub Enterprise.
      7. Github Enterprise prompts you to select an organization. Select the organization that you want SSPM to scan for account risks.
      8. GitHub Enterprise prompts you to install and authorize the PANW-SSPM-IDENTITY GitHub App. Select All Repositories and Install & Authorize.

    © 2026 Palo Alto Networks, Inc. All rights reserved.