← All help articles

GitHub App — install and configuration

The NoDowntimeShield GitHub App scans every PR and (optionally) every push for leaked secrets, vulnerable dependencies, SAST findings, and risky code patterns.

Quick install

  1. Dashboard → Integrations → GitHubConnect.
  2. On GitHub, pick All repositories or Selected repositories.
  3. Approve the permissions (we explain each one in the install screen).
  4. Done. The first scan runs within 60 seconds.

What gets scanned

  • PRs — every open / sync / reopen.
  • Pushes — including squash-merge and force-push (catches secrets that bypass PR review).
  • Whole repository — weekly baseline scan plus on-demand via dashboard.
  • Org-level — branch protection, 2FA enforcement, Actions permissions, CODEOWNERS, deploy keys, outside collaborators.

Auto-resolve and routing

  • Auto-resolve — if a developer pushes a fix in the same PR, the finding closes automatically.
  • Branch protection — when you grant Administration → Write, we add nodowntimeshield/security-scan as a required check on default branches.
  • Routing — per-severity destinations: Slack, Email, WhatsApp, PagerDuty, Jira, Linear.

Live credential validation (opt-in)

When enabled, we ping the issuing service (AWS STS, Stripe /v1/account, GitHub /user, OpenAI /v1/models, SendGrid /v3/user/profile) with a 2-second timeout. Live keys bump severity to critical; malformed keys keep medium. Disabled by default.

Uninstalling

GitHub Settings → Applications → NoDowntimeShield → Uninstall. Finding history retained 30 days.