GitHub Integration

Integrate GovernanceAI with GitHub to automatically scan repositories for AI model usage, dependencies, and compliance violations.

Setup Process

Step 1: Install GitHub App

• Go to Integrations → GitHub
• Click Install GitHub App
• You’ll be redirected to GitHub
• Select repositories to authorize (all or specific)
• Click Install & Authorize
• You’ll be redirected back to GovernanceAI

Step 2: Configure Scanning

Repository Selection:

• ✅ Automatic - Scan all existing and new repositories
• ✅ Manual - Select specific repositories
• ✅ Pattern-based - Scan repos matching patterns

Scan Settings:

• Trigger: Push, Pull Request, Scheduled
• Frequency: Hourly, Daily, Weekly
• Depth: Full repo scan or recent changes only

Step 3: Webhook Configuration

Webhooks enable real-time scanning:

• Automatically installed by GitHub App
• Triggers on: push, pull_request
• Sends scan results to GovernanceAI
• Creates GitHub checks on PRs

Automated Scanning

Push Scanning

On every push to main branch:

Commit → GitHub Webhook → GovernanceAI Scan
  ├─ Detect LLM usage
  ├─ Check dependencies
  ├─ Assess compliance
  └─ Generate report

Pull Request Scanning

Automatic checks on every PR:

PR Created → GitHub Webhook → GovernanceAI Scan
  ├─ Scan diff only (faster)
  ├─ Report findings
  ├─ Create check status
  └─ Comment with results

Example PR Comment:

GovernanceAI Scan Results
✅ No new AI models detected
⚠️ Updated dependency: openai@1.3.6 (CVE-2024-1234 fixed)
🔍 Compliance: 95% → 96% (improved)
📊 Details:
- Models: 2 (GPT-4, text-embedding-3)
- Dependencies: 45 (3 with vulnerabilities)
- PII detected: 0
[View Full Report](https://app.governanceai.com/scan/123)

Permissions

Required GitHub App Permissions:

Not Requested:

• ❌ Write access to code
• ❌ Access to secrets or keys
• ❌ Deployment permissions

GitHub Actions Integration

Workflow Example

1
name: GovernanceAI Scan
2
3
on: [push, pull_request]
4
5
jobs:
6
  governanceai-scan:
7
    runs-on: ubuntu-latest
8
    steps:
9
      - uses: actions/checkout@v3
10
11
      - name: GovernanceAI Scan
12
        env:
13
          GOVERNANCEAI_API_KEY: ${{ secrets.GOVERNANCEAI_API_KEY }}
14
        run: |
15
          curl -X POST https://api.governanceai.com/v1/scans \
16
            -H "Authorization: Bearer $GOVERNANCEAI_API_KEY" \
17
            -d '{
18
              "repository": "${{ github.repository }}",
19
              "ref": "${{ github.ref }}",
20
              "scan_type": "ai_governance"
21
            }'

Auto-Discovery

GovernanceAI automatically detects:

• ✅ LLM calls (OpenAI, Claude, Hugging Face, etc.)
• ✅ Model training code
• ✅ AI dependencies (langchain, llamaindex, etc.)
• ✅ Prompt engineering patterns
• ✅ Vector database integrations
• ✅ RAG implementations

Example Detection:

1
# Auto-detects these patterns
2
from openai import OpenAI  # ← AI Framework
3
client = OpenAI()
4
5
response = client.chat.completions.create(  # ← LLM Call
6
    model="gpt-4",
7
    messages=[...]
8
)

Troubleshooting

App not appearing in PR checks:

• Ensure webhook is active
• Check repository permissions
• Verify app installation

Scans not triggering:

• Verify webhook payload (Settings → Developer settings → Webhooks)
• Check API key is valid
• Review rate limits

Missing repositories:

• Reinstall app with more permissions
• Check organization restrictions
• Verify branch protection rules

Next Steps

• GitLab Integration - Connect GitLab
• Running Scans - Learn about scanning
• API Reference - Integration APIs