GitHub Integration

Integrate GovernanceAI with GitHub to automatically scan repositories for AI model usage, dependencies, and compliance violations.

Setup Process

Step 1: Install GitHub App

Go to Integrations → GitHub
Click Install GitHub App
You’ll be redirected to GitHub
Select repositories to authorize (all or specific)
Click Install & Authorize
You’ll be redirected back to GovernanceAI

Step 2: Configure Scanning

Repository Selection:

✅ Automatic - Scan all existing and new repositories
✅ Manual - Select specific repositories
✅ Pattern-based - Scan repos matching patterns

Scan Settings:

Trigger: Push, Pull Request, Scheduled
Frequency: Hourly, Daily, Weekly
Depth: Full repo scan or recent changes only

Step 3: Webhook Configuration

Webhooks enable real-time scanning:

Automatically installed by GitHub App
Triggers on: push, pull_request
Sends scan results to GovernanceAI
Creates GitHub checks on PRs

Automated Scanning

Push Scanning

On every push to main branch:

Commit → GitHub Webhook → GovernanceAI Scan
  ├─ Detect LLM usage
  ├─ Check dependencies
  ├─ Assess compliance
  └─ Generate report

Pull Request Scanning

Automatic checks on every PR:

PR Created → GitHub Webhook → GovernanceAI Scan
  ├─ Scan diff only (faster)
  ├─ Report findings
  ├─ Create check status
  └─ Comment with results

Example PR Comment:

GovernanceAI Scan Results
✅ No new AI models detected
⚠️ Updated dependency: openai@1.3.6 (CVE-2024-1234 fixed)
🔍 Compliance: 95% → 96% (improved)
📊 Details:
- Models: 2 (GPT-4, text-embedding-3)
- Dependencies: 45 (3 with vulnerabilities)
- PII detected: 0
[View Full Report](https://app.governanceai.com/scan/123)

Permissions

Required GitHub App Permissions:

Permission	Purpose
`contents:read`	Read repository files
`pull_requests:read`	Read PR information
`checks:write`	Create check runs
`statuses:write`	Update commit status
`actions:read`	Read workflow info

Not Requested:

❌ Write access to code
❌ Access to secrets or keys
❌ Deployment permissions

GitHub Actions Integration

Workflow Example

1 name: GovernanceAI Scan
2 
3 on: [push, pull_request]
4 
5 jobs:
6   governanceai-scan:
7     runs-on: ubuntu-latest
8     steps:
9       - uses: actions/checkout@v3
10 
11       - name: GovernanceAI Scan
12         env:
13           GOVERNANCEAI_API_KEY: ${{ secrets.GOVERNANCEAI_API_KEY }}
14         run: |
15           curl -X POST https://api.governanceai.com/v1/scans \
16             -H "Authorization: Bearer $GOVERNANCEAI_API_KEY" \
17             -d '{
18               "repository": "${{ github.repository }}",
19               "ref": "${{ github.ref }}",
20               "scan_type": "ai_governance"
21             }'

Auto-Discovery

GovernanceAI automatically detects:

✅ LLM calls (OpenAI, Claude, Hugging Face, etc.)
✅ Model training code
✅ AI dependencies (langchain, llamaindex, etc.)
✅ Prompt engineering patterns
✅ Vector database integrations
✅ RAG implementations

Example Detection:

1 # Auto-detects these patterns
2 from openai import OpenAI  # ← AI Framework
3 client = OpenAI()
4 
5 response = client.chat.completions.create(  # ← LLM Call
6     model="gpt-4",
7     messages=[...]
8 )

Troubleshooting

App not appearing in PR checks:

Ensure webhook is active
Check repository permissions
Verify app installation

Scans not triggering:

Verify webhook payload (Settings → Developer settings → Webhooks)
Check API key is valid
Review rate limits

Missing repositories:

Reinstall app with more permissions
Check organization restrictions
Verify branch protection rules

Next Steps

GitLab Integration - Connect GitLab
Running Scans - Learn about scanning
API Reference - Integration APIs