Big Cranium Logo White.png
TrainingHelp Center
Find the insights and best practices about our product.
General
FAQs
System & Network Requirements
Getting Started
My AI Dashboard Overview
Release Notes
2026.4.2 Release Notes
2026.4.1 Release Notes
2026.3.1 Release Notes
2026.2.2 Release Notes
2026.2.1 Release Notes
2026.1.1 Release Notes
2025.12.1 Release Notes
2025.11.1 Release Notes
2025.10.3 Release Notes
2025.10.1 Release Notes
2025.9.1 Release Notes
2025.8.1 Release Notes
2025.7.1 Release Notes
2025.4.1 Release Notes
2025.3.1 Release Notes
2025.1.1 Release Notes
2024.12.1 Release Notes
AI Manager
My AI Systems
My AI Systems Overview
AI System Details Overview
Adding a New AI System
Self-Attesting to a Compliance Framework
Compliance Scoring
Compliance Agent [Beta]
My AI Supply Chain
Supply Chain Overview
Managing Outgoing AI Card Requests
Responding to an AI Card Request
Publishing an AI Card Without a Request
My Vendors Overview
Artifacts
Bill of Materials
Bill of Materials Overview
Creating a Bill of Materials with CodeSensor
Self-Attest to a Bill of Materials
AgentSensor Overview
Technology Search Overview
Document Library
Document Library Overview
Vulnerability Management
Arena Shield
Arena Shield Overview
Shield YAML Implementation Guide
Arena
AI Arena Overview
Vulnerability Assessment
Vulnerability Management
Vulnerability Assessment Overview
Accessing a Vulnerability Assessment
Adversarial Inputs Detector
Vulnerabilities Overview
Settings
User Manager Overview
Detect AI
Integrations
Accessing a Private VCS
Registering SSH for CodeSensor
Integrating Bitbucket with Cranium
Integrating GitHub with Cranium
Integrating GitLab with Cranium
Integrating Azure DevOps with Cranium
Continuous Monitoring Overview
VCS Service Rate Limits
CloudSensor
CloudSensor Overview
Public API
Public API Overview
Authentication & Generating Credentials
Pagination & Incremental Sync
Rate Limits & Error Handling
Endpoint Reference
Bills of Materials
Technology Vulnerabilities
Arena Models
Arena Model Vulnerabilities
Home
Settings
Integrations
Integrating GitHub w...
Integrating GitHub with Cranium

This guide explains how to connect your GitHub repositories to Cranium for Detect AI and CodeSensor scans. For general information about VCS integrations, see Accessing a Private VCS.

GitHub Service Types

Cranium supports three types of GitHub deployments:

  • GitHub is the standard cloud-hosted service available at github.com. This is GitHub's public platform where most open source and commercial projects are hosted. GitHub automatically provides access to all repositories the authenticating user or app can access across any organization they belong to.
  • GitHub Enterprise Cloud is GitHub's enhanced cloud offering that provides advanced security, compliance, and administrative features while still being hosted by GitHub. Like standard GitHub, it uses GitHub's centralized infrastructure and does not require custom URLs. Authentication automatically discovers all accessible organizations and repositories.
  • GitHub Enterprise Server is a self-hosted solution that organizations run on their own infrastructure. Because each organization hosts GitHub on their own domain, Cranium requires the full URL to locate and connect to your specific instance. This allows Cranium to direct API requests to your self-hosted GitHub server rather than to GitHub's cloud infrastructure.

Authentication Methods

GitHub integrations support three authentication methods:

  • OAuth provides a streamlined authentication flow where you authorize Cranium to access your GitHub account through GitHub's standard OAuth protocol. This method automatically handles token refresh and works well for individual users or smaller teams that need quick setup without app installation overhead.
  • App (GitHub App) provides the most secure and granular permission model with higher rate limits for API requests. When you authenticate with App, Cranium presents a GitHub App that you install in your organization. This method automatically handles token refresh, provides detailed audit logs in GitHub, and allows organization admins to review and approve the integration. App authentication is recommended for organizations that require strict access controls, comprehensive audit trails, and need to make frequent API requests without hitting rate limits.
  • Personal Access Token (PAT) uses a manually generated token tied to a specific user account. This method is straightforward to set up and works well for individual developers or smaller teams. However, tokens expire based on your configuration and don't automatically refresh, requiring manual rotation. PATs are tied to the creating user's permissions, so if that user loses access to repositories, Cranium also loses access.

Note:

  • GitHub: OAuth, App, and Personal Access Token authentication are available
  • GitHub Enterprise Cloud: OAuth and Personal Access Token authentication are available
  • GitHub Enterprise Server: Only Personal Access Token authentication is supported

Integrating GitHub (github.com)

Requirements

Depending on your authentication method, you need:

For OAuth

  • Organization Owner permissions or approval from an Organization Owner
  • Access to install GitHub Apps in your organization

For Personal Access Token

  • A Personal Access Token with the following permission:
    • Repository Read

Integration Steps with OAuth

  1. Navigate to Settings > Integrations in the Cranium navigation drawer
  2. Click the blue Add New VCS Integration button
  3. In the integration dialog, provide:
    1. Name: A descriptive name for this integration (e.g., "Production GitHub")
    2. Description: Optional notes about this integration's purpose
    3. Service: Select "GitHub" from the dropdown
    4. Organization Name (optional): Enter your GitHub organization name to limit scanning to only that organization
    5. Authentication Type: Select "OAuth"
  5. Click the blue Connect to GitHub button
  6. A GitHub authorization window will open
  7. Authorize Cranium to access your GitHub account
  8. After authorization completes, the dialog displays "Connected to GitHub"
  9. Click Save

Integration Steps with App (GitHub App)

  1. Navigate to Settings > Integrations in the Cranium navigation drawer
  2. Click the blue Add New VCS Integration button
  3. In the integration dialog, provide:
    1. Name: A descriptive name for this integration (e.g., "Production GitHub")
    2. Description: Optional notes about this integration's purpose
    3. Service: Select "GitHub" from the dropdown
    4. Organization Name (optional): Enter your GitHub organization name to limit scanning to only that organization
    5. Authentication Type: Select "App"
  5. Click the blue Connect to GitHub button
  6. A GitHub authorization window will open
  7. Select the organization where the Cranium AI app should be installed
  8. Keep the default repository selection as All Repositories
  9. Click Authorize & Request
    1. If you have Organization Owner permissions, the app installs immediately
    2. If approval is required, proceed to the approval steps below
  11. After authorization completes, the dialog displays "Connected to GitHub"
  12. Click Save

GitHub App Approval Steps (If Required)

If you don't have permissions to install GitHub Apps, you'll need an Organization Owner to approve:

  1. Contact your Organization Owner or an admin with GitHub App installation permissions
  2. Request approval for the Cranium AI GitHub App
  3. The approver should:
    1. Log in to GitHub
    2. Navigate to the organization page
    3. Click Settings → Third-party Access → GitHub Apps
    4. Find the pending request for Cranium AI
    5. Click Approve to complete the installation
  5. Once approved, your integration in Cranium will become active

Integration Steps with Personal Access Token

  1. Navigate to Settings > Integrations in the Cranium navigation drawer
  2. Click the blue Add New VCS Integration button
  3. In the integration dialog, provide:
    1. Name: A descriptive name for this integration (e.g., "Production GitHub")
    2. Description: Optional notes about this integration's purpose
    3. Service: Select "GitHub" from the dropdown
    4. Organization Name (optional): Enter your GitHub organization name to limit scanning to only that organization
    5. Authentication Type: Select "Personal Access Token"
  5. Paste your Personal Access Token into the Personal Access Token field
  6. Click Save

Creating a GitHub Personal Access Token

  1. Log in to GitHub at github.com
  2. Click your profile icon in the top right corner
  3. Select Settings
  4. Scroll down in the left sidebar and click Developer settings
  5. Click Personal access tokens → Tokens (classic)
  6. Click Generate new token → Generate new token (classic)
  7. Provide a note (e.g., "Cranium Integration")
  8. Set an appropriate expiration date
  9. Select the repo scope (full control of private repositories)
  10. Click Generate token
  11. Copy the generated token immediately (you won't be able to see it again)

Understanding Organization Name (Optional)

When you provide an Organization Name, it acts as a filter for the integration. Cranium will only scan repositories within that specified organization. This is useful when:

  • Your GitHub account has access to multiple organizations
  • You want to limit Cranium's scope to a specific organization
  • You need to create separate integrations for different teams or business units

If you leave Organization Name empty, Cranium will connect to all repositories your authentication method can access across all organizations. For OAuth and App, this means all organizations where you've authorized Cranium or installed the GitHub App. For PAT, this means all repositories the token owner can access.

Integrating with GitHub Enterprise Cloud

Requirements

For OAuth

  • Organization Owner permissions or approval from an Organization Owner

For Personal Access Token

  • A Personal Access Token with the following permission:
  • Repository Read

Integration Steps

The integration steps for GitHub Enterprise Cloud are identical to standard GitHub (see above), with these key differences:

  • Select "GitHub Enterprise Cloud" from the Service dropdown instead of "GitHub"
  • Only OAuth and Personal Access Token authentication methods are available (App authentication is not supported)
  • Organization Name is not required because GitHub Enterprise Cloud uses the same centralized authentication as standard GitHub

GitHub Enterprise Cloud instances still use GitHub's hosted infrastructure, so Cranium automatically discovers accessible organizations through the authentication process without needing explicit organization identifiers.

Integrating with GitHub Enterprise Server

Requirements

To integrate GitHub Enterprise Server with Cranium, you need:

  • The full URL to your GitHub Enterprise Server instance (e.g., https://github.yourcompany.com)
  • A Personal Access Token with the following permission:
    • Repository Read
  • Optionally, your organization name if filtering to a specific organization

Integration Steps

  1. Navigate to Settings > Integrations in the Cranium navigation drawer
  2. Click the blue Add New VCS Integration button
  3. In the integration dialog, provide:
    1. Name: A descriptive name for this integration (e.g., "Engineering GitHub Server")
    2. Description: Optional notes about this integration's purpose
    3. Service: Select "GitHub Enterprise Server" from the dropdown
    4. Base URL: Enter the full URL to your GitHub Enterprise Server instance (e.g., https://github.yourcompany.com)
    5. Organization Name (optional): Enter your organization name to filter scanning to that organization
  5. Paste your Personal Access Token into the Personal Access Token field
  6. Click Save

Why GitHub Enterprise Server Requires a URL

GitHub Enterprise Server runs on infrastructure you control, meaning each installation has a unique domain. Without the Base URL, Cranium wouldn't know where to send API requests. This differs from GitHub and GitHub Enterprise Cloud, which both use GitHub's centralized cloud infrastructure with standardized API endpoints.

Creating a GitHub Enterprise Server Personal Access Token

  1. Log in to your GitHub Enterprise Server instance
  2. Click your profile icon and select Settings
  3. In the left sidebar, click Developer settings
  4. Click Personal access tokens → Tokens (classic)
  5. Click Generate new token → Generate new token (classic)
  6. Provide a note (e.g., "Cranium Integration")
  7. Set an appropriate expiration date
  8. Select the repo scope (Full control of private repositories)
  9. Click Generate token
  10. Copy the generated token immediately (you won't be able to see it again)

Continuous Monitoring

Webhook-triggered BOM rescanning is available for GitHub and GitHub Enterprise Cloud integrations. GitHub Enterprise Server is not currently supported. For setup guidance, see the Continuous Monitoring Overview.

Troubleshooting

  • OAuth authorization fails
    • Ensure you have Organization Owner permissions or that you've requested approval from an organization owner. Check that your organization allows third-party application access in GitHub's security settings.
  • Integration fails to save
    • Verify your Base URL (for Enterprise Server) follows the correct format and that your Personal Access Token has the required permissions.
  • Detect AI cannot access repositories
    • For PAT authentication, ensure your token has permission to access the specific repositories you want to scan. For OAuth and App authentication, verify you've authorized Cranium or installed the GitHub App for the repositories you need.
  • Token expired
    • Personal Access Tokens expire based on the expiration date you set during creation. Generate a new token and update the integration by editing it through the three-dot menu on the integration record.
  • GitHub App requires Organization Owner approval
    • If you see a pending request message, contact your Organization Owner to approve the Cranium AI app installation in your organization's GitHub settings
Did this answer your question?
Related Articles
Accessing a Private VCS
Registering SSH for CodeSensor
Creating a Bill of Materials with CodeSensor
Continuous Monitoring Overview
VCS Service Rate Limits