Most security platforms treat GitHub as an afterthought. CloudVista runs 13 automated security checks across your GitHub organisation — branch protection, secret scanning, Dependabot, Actions permissions, org 2FA — and surfaces findings alongside your AWS, Azure, OCI, and GCP posture in one place.
Get Started Free View Live DemoGitHub is where your code lives, your CI/CD pipelines run, and your secrets often end up. It's also the vector for some of the highest-profile supply chain attacks in the last five years — from SolarWinds to the GitHub Actions token compromise affecting thousands of repositories.
Yet most cloud security tools stop at the cloud provider boundary. They scan your AWS S3 buckets and Azure VMs, but leave your GitHub repositories completely unaudited. The result: security teams pass SOC 2 audits with open Dependabot alerts, unprotected default branches, and GitHub Actions workflows that can write to any repository.
CloudVista adds GitHub as a first-class provider — the same way it treats AWS, Azure, OCI, and GCP. Security checks run automatically on your sync schedule. Findings appear in your unified posture score. Compliance evidence is collected for your auditors.
Key stat: According to GitHub's own 2024 security report, 40% of enterprise organisations have at least one repository with branch protection disabled on the default branch. CloudVista surfaces this in seconds after connecting.
When you connect a GitHub organisation to CloudVista, the following resource types are inventoried on each sync:
Name, 2FA enforcement status, verified domains, billing plan
Visibility, branch protection, default branch, archived status, last push, topics
Workflow name, path, state, last run status, permissions scope
Per-repository deploy keys, read/write flag, created date, expiry status
Login, organisation role (member/owner), 2FA enabled status
All resource data is stored in CloudVista's inventory and searchable from the main inventory view. You can filter by repository visibility, branch protection status, or member 2FA state — the same way you filter EC2 instances or Azure VMs.
CloudVista runs the following checks automatically on each sync. Findings include the affected repository or resource, severity, and compliance control mappings.
| Check | Severity | What It Detects |
|---|---|---|
| Branch Protection Missing | High | Default branch has no branch protection rule configured |
| Force Push Allowed | High | Branch protection exists but allows force pushes, enabling history rewrite |
| No Required Reviews | Medium | Branch protection does not require at least one pull request review before merge |
| Secret Scanning Disabled | Critical | GitHub's native secret scanning is not enabled for the repository |
| Public Secret Scanning Alerts Open | Critical | One or more detected secrets remain unresolved in the repository |
| Dependabot Disabled | High | Dependabot security updates are not enabled, leaving vulnerable dependencies untracked |
| Dependabot Alerts Open | High | One or more open Dependabot vulnerability alerts in the repository |
| GitHub Actions Write Permissions | High | Default workflow permissions are set to read/write rather than read-only |
| Actions Allowed from Any Repo | Medium | Organisation allows GitHub Actions from any source, not just verified or in-org actions |
| CODEOWNERS File Missing | Medium | Repository has no CODEOWNERS file defining required reviewers for protected paths |
| Org 2FA Not Enforced | Critical | The GitHub organisation does not require two-factor authentication for all members |
| Default Branch Not Protected | High | The repository's default branch (typically main or master) has no protection rules |
| Deploy Keys Without Expiry | Medium | Repository deploy keys with write access have no expiry date set |
Every GitHub security check in CloudVista is mapped to one or more compliance framework controls. When a check fails, the finding includes the specific control IDs it violates — making evidence collection and audit preparation straightforward.
| Check Category | CIS GitHub | SOC 2 | ISO 27001 | NIST SP 800-53 |
|---|---|---|---|---|
| Branch Protection | 1.1, 1.2, 1.3 | CC8.1 | A.12.1.2 | CM-2, CM-3 |
| Secret Scanning | 2.1, 2.2 | CC6.1 | A.9.4, A.12.6 | AC-3, SC-28 |
| Dependabot / Vulnerabilities | 3.1, 3.2 | CC7.1 | A.12.6.1 | SI-2, SI-3 |
| Actions Permissions | 4.1, 4.2 | CC6.6 | A.9.2, A.9.4 | AC-6, CM-7 |
| Org 2FA Enforcement | 1.5 | CC6.1 | A.9.3, A.9.4 | IA-2, IA-5 |
Compliance findings feed directly into the CloudVista compliance posture dashboard. If you're tracking SOC 2 readiness, your GitHub posture score is included alongside your AWS and Azure scores. Evidence snapshots are captured automatically for audit export.
Connecting a GitHub organisation takes under 5 minutes. You need a GitHub Personal Access Token (PAT) with the following read-only scopes:
repo read:org read:user security_events
No write access is required at any level. CloudVista only calls GitHub's REST API — it never reads, stores, or transmits code content.
Security note: CloudVista recommends using fine-grained PATs with organisation resource owner scope rather than classic tokens. Fine-grained tokens allow you to restrict access to specific repositories and set a mandatory expiry date.
CloudVista runs 13 automated GitHub security checks: branch protection missing, force push allowed, no required reviews, secret scanning disabled, public secret scanning alerts open, Dependabot disabled, Dependabot alerts open, GitHub Actions write permissions, GitHub Actions allowed from any repo, CODEOWNERS file missing, org 2FA not enforced, default branch not protected, and deploy keys without expiry.
CloudVista uses a Personal Access Token (PAT) with four read-only scopes: repo, read:org, read:user, and security_events. No write access is required. The token is AES-256 encrypted at rest. CloudVista calls GitHub's REST API only — no code content is ever read or stored.
Yes. CloudVista shows findings from all connected providers in a single unified view. You can filter by provider (GitHub, AWS, Azure, OCI, GCP, VMware), severity, status, or compliance framework — across your entire estate in one table.
No. CloudVista does not read code content. For secret scanning, CloudVista reads the count of open secret scanning alerts from GitHub's native scanner via the security_events API scope. The actual secret details remain in GitHub — CloudVista only surfaces whether open alerts exist and how many.
GitHub is supported as a provider on the free tier. The free plan covers up to 100 resources across all connected providers — GitHub repositories, members, and workflows all count toward this limit. Security checks and compliance mapping are included on all plans.
Yes. Each GitHub organisation is added as a separate credential in CloudVista. There is no limit on the number of organisations you can connect. Findings and inventory from all organisations appear in the unified view with an organisation label for easy filtering.
Connect your GitHub organisation and get your first 13-check security report in under 5 minutes — no agents, no code access, no configuration beyond a read-only PAT.
Get Started FreeAlso see: GitHub Security Blog Post · Compliance Guide · Multi-Cloud Inventory