Integrate with GitHub
Follow this step-by-step guide to allow SlashID to monitor and protect your GitHub organization or personal account. This integration enables SlashID to track users, teams, repository access, GitHub App installations, secrets, and security alerts.
Before starting
Before starting, ensure you have:
- Organization owner (admin) access to your GitHub organization, or ownership of your personal account
- Access to your GitHub organization or account settings
SlashID connects via a GitHub App installation — no personal access tokens or long-lived credentials are stored. The SlashID backend mints short-lived installation access tokens using the App's private key.
Step 1: Install the SlashID GitHub App
Go to https://github.com/apps/slashid-sync-adapter and click Install.
Select the target organization (or your personal account) as the account to install the app on.
Select All repositories (or restrict to specific repositories if preferred).
Click Install to complete the installation.
Step 2: Find the Installation ID
After installing the app:
Go to your GitHub organization → Settings → Integrations → GitHub Apps. (For a personal account: Settings → Applications → Installed GitHub Apps.)
Find the SlashID app in the list and click Configure.
The Installation ID is the numeric suffix in the browser URL:
https://github.com/organizations/<org>/settings/installations/<installation_id>Copy this number — you will need it in the next step.
Step 3: Create the GitHub connection in SlashID
Go to the SlashID Console > Identity Protection > Configuration > Integrations. Click Add integration.
Select GitHub from the list of providers.
Enter your connection details:
| Field | Description | Example |
|---|---|---|
| Name | Arbitrary name for this connection | GitHub Production |
| Authoritative status | Whether GitHub identities are the primary source of truth when reconciling across providers | Primary or Secondary |
| Installation ID | The numeric installation ID from Step 2 | 12345678 |
Configure the sync depth options (see Sync Depth Configuration below).
Click Connect to test the connection and complete the integration.
SlashID will automatically detect the account name and type (organization or personal account) from the installation.
Sync Depth Configuration
SlashID lets you control how deeply it syncs resource types that can generate large volumes of data:
| Field | Description | Values |
|---|---|---|
issue_sync_depth | Controls which repository issues are synced | none, open_only, all |
pr_sync_depth | Controls which pull requests are synced | none, open_only, all |
alert_sync_depth | Controls which security alerts (Dependabot, code scanning, secret scanning) are synced | none, open_only, all |
Value meanings:
none— do not sync this resource typeopen_only— sync only open/active items (recommended default; reduces API quota usage)all— sync all items including closed/resolved ones
Start with open_only for all three fields. Switch to all only if you need historical closed issues, merged PRs, or resolved alerts for compliance or audit purposes.
GitHub Enterprise (Server or Cloud with IP allow lists)
GitHub Enterprise Server (self-hosted): set the Base URL field to your instance's API root (e.g. https://github.example.com). Leave it unset for github.com.
GitHub Enterprise Cloud with IP allow lists: either grant the SlashID GitHub App the "Trust this app to bypass the IP allow list" option during installation, or allowlist SlashID's egress IPs (below).
If your endpoint or tenant restricts traffic by source IP, allow connections from SlashID's egress IPs published at https://cdn.slashid.com/egress.json. The list is global and stable; the syncToken field changes whenever the IPs change, so you can use it to detect drift.
The file follows the JAFAR draft format (A JSON-Based Format for Publishing IP Ranges of Automated HTTP Clients), the same convention major cloud providers use to publish their IP ranges.
Required GitHub App permissions
The SlashID GitHub App requests the following permissions:
| Permission | Required for |
|---|---|
Members (read) | Org members, teams |
Administration (read) | Org-level PATs, GitHub App installations |
Secrets (read) | Org secrets, repo secrets |
Repository contents (read) | Repository metadata |
Environments (read) | Environments |
Pull requests (read) | Pull requests |
Issues (read) | Issues |
Vulnerability alerts (read) | Dependabot alerts |
Code scanning alerts (read) | Code scanning alerts |
Secret scanning alerts (read) | Secret scanning alerts |
Metadata (read) | Repository metadata (required by GitHub) |
Verification
After successful integration, SlashID will:
- Sync member data: Import all organization members, their roles, and team memberships
- Monitor teams: Track all teams, their members, and repository access
- Catalog repositories: Index all repositories and their access permissions
- Track installed apps: Monitor OAuth apps and GitHub App installations and their permissions
- Scan secrets: Identify Actions secrets and their repository/environment scope
- Detect security alerts: Surface Dependabot, code scanning, and secret scanning findings
It may take a few minutes for the initial data sync, after which you can start exploring security events in the Identity Protection Dashboard.
Troubleshooting
"installation_id is required" or "401 Unauthorized"
- Verify the Installation ID by going to your org's GitHub Apps settings page and checking the URL.
- Ensure the SlashID GitHub App is still installed on your organization and has not been suspended.
"403 Forbidden" or "Resource not accessible by integration"
- The app may not have been granted access to all repositories. Reconfigure the installation to allow All repositories.
- Some permissions (e.g. code scanning, secret scanning) require GitHub Advanced Security to be enabled on the repository or organization.
Security alerts not appearing
- Ensure Dependabot alerts, code scanning, or secret scanning are enabled on your GitHub organization.
- Set
alert_sync_depthtoopen_onlyorall(notnone).
Rate limit errors
- GitHub App installations get up to 15,000 API requests/hour. SlashID automatically retries with backoff when rate limits are encountered — the sync will complete once limits reset.