Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

GitHub

The GitHub integration detects a variety of user security, data loss prevention, and misconfiguration risks in an integrated GitHub Organization that could leave you and your organization vulnerable.

​​ Integration prerequisites

  • A GitHub account with a Free, Pro, or Enterprise plan
  • Membership to a GitHub Organization with Owner or GitHub App manager permissions

​​ Integration permissions

For the GitHub integration to function, Cloudflare CASB requires the following GitHub API permissions:

PermissionAccessDescription
AdministrationRead-onlyView basic administrative information from the account.
MembersRead-onlyView metadata on organization members
MetadataRead-onlyView metadata surrounding an organization’s assets, excluding sensitive private repository information.
Organization administrationRead-onlyView information on organization settings

These permissions follow the principle of least privilege to ensure that only the minimum required access is granted. To learn more about each permission, refer to the GitHub App permissions reference.

​​ Security findings

The GitHub integration currently scans for the following findings, or security risks.

​​ Repository access

FindingSeverityDescription
Repository publicly accessibleCriticalA repository has its visibility set to Public.
Repository with outside collaboratorMediumA user outside of the organization has access to a repository.
Public repository without security policyMediumA publicly-accessible repository does not have a security policy enabled.
Repository with deploy key older than 180 daysLowA repository deploy key has not been rotated in 180 days or more.

​​ Branches and merges

FindingSeverityDescription
Repository Default Branch does not have Branch Protection rulesHighA repository’s default branch does not have any branch protection rules enabled.
Default Branch Protection does not have PR Review requiredHighA repository’s default branch does not have a Require pull request reviews before merging rule.
Default Branch Protection does not have forced pushes disabledMediumA repository’s default branch has enabled Allow force pushes.
Default Branch Protection does not have stale PR approvals disabledMediumA repository’s default branch does not have a Dismiss stale pull request approvals when new commits are pushed rule.
Default Branch Protection does not have admin restrictionsLowA repository’s default branch does not have a Do not allow bypassing the above settings rule for administrators.
Default Branch Protection does not have deletions disabledLowA repository’s default branch has enabled Allow deletions.
Default Branch Protection does not have status check failures disabledLowA repository’s default branch does not have a Require status checks to pass before merging rule.

Learn more about GitHub branch protection rules.

​​ Dependencies

FindingSeverityDescription
Repository Dependency with Critical vulnerabilityCriticalA dependency used in a repository has a critical severity vulnerability.
Repository Dependency with High vulnerabilityHighA dependency used in a repository has a high severity vulnerability.
Repository Dependency with Medium vulnerabilityMediumA dependency used in a repository has a medium severity vulnerability.
Repository Dependency with Low vulnerabilityLowA dependency used in a repository has a low severity vulnerability.

Learn more about GitHub Dependabot alerts.

​​ User accounts

FindingSeverityDescription
Organization 2FA disabledCriticalAn organization does not have its organization-wide two-factor authentication (2FA) requirement enabled.
Organization Member without 2FAMediumA member of the organization does not have two-factor authentication (2FA) enabled.