Skip to main content
With the GitHub integration, you can connect your repositories to Plerion Code Security. This enables automatic scanning for IaC and SCA issues, giving developers early feedback and helping teams resolve issues before they reach production.

Steps to integrate GitHub with Plerion

1

On the Plerion dashboard, go to Settings > Integrations

Plerion dashboard showing Settings expanded with Integrations selected
2

Find GitHub and click the + button

Add a GitHub integration
3

Click on Install GitHub app

Install GitHub app option in Plerion
4

Select the repositories to monitor and click Install

GitHub installation screen showing repository selection
5

After installation, you will be redirected to the Plerion platform

Plerion integration page showing GitHub connected

Configuring your GitHub integration

Once installed, you can configure the GitHub integration to suit your workflows. These options control when and how scans run, how findings are handled, and what rules apply.

Integration status

Controls whether Plerion Code Security is active.
  • Default: Enabled
  • When disabled: Pauses all scanning activities, including scheduled and pull request scans
  • Recommendation: Keep enabled unless there is a specific need to pause
Integration status toggle in Plerion

Scheduled scans

Runs automatic daily scans of your main branches.
  • Default: Enabled
  • Purpose: Ensures continuous monitoring of production-ready code
  • Key points:
    • No manual input required
    • Helps identify risks over time
    • Best for stable branches
Scheduled scans configuration in Plerion

Pull request scanning

Scans code in new and updated pull requests.
  • Default: Enabled
  • What it does:
    • Scans only changes in the pull request
    • Posts findings as comments in GitHub
    • Uses GitHub status checks to block insecure merges
  • Supported file types: YAML, Terraform, JSON, and other IaC files
  • Why it matters: Prevents vulnerabilities from merging, encourages secure practices, and improves developer awareness
Pull request scanning configuration in Plerion

Tolerance for blocking pull requests

Controls when pull requests are blocked based on severity.
  • Default: Do not block pull requests
  • Options:
    • Only block for critical findings
    • Block for high and critical findings
    • Block for medium and above findings
    • Block for any finding
    • Do not block pull requests
  • Best use: Choose based on your team’s risk tolerance, development velocity, and compliance needs
Tolerance configuration options in Plerion

Profile

Defines which detection rules are used during scans.
  • Default: Organization’s default profile
  • Options: Use an existing profile or create a new one
  • Where to manage: Detection Settings
  • Best use: Align with coding standards, risk tolerance, and compliance needs
Profile selection in Plerion GitHub integration

Workflow artifact scanning

Scan GitHub workflow artifacts for security issues.
  • Default: Disabled
  • What it does:
    • Scans GitHub workflow artifacts uploaded within a pull request
    • Posts findings as comments in GitHub
    • Uses GitHub status checks to block insecure merges
  • Supported frameworks: AWS CDK (Cloud Development Kit), AWS Serverless Application Model (SAM), OpenTofu, and other frameworks that generate a CloudFormation template or a Terraform plan before deployment
  • Why it matters: Allows scanning a wider range of IaC framework files for security issues before merging pull requests
Workflow artifact scanning configuration in Plerion

Best practices

  • Keep the integration enabled for continuous coverage
  • Use scheduled scans to secure long-term branches
  • Enable PR scanning to prevent insecure code from merging
  • Set PR blocking tolerance based on your security posture
  • Select a detection profile that matches your organization’s needs