Overview
The GitHub integration monitors your organization’s repositories, branch protection rules, member access, and security configurations. LowerPlane uses read-only access and does not access source code contents.Authentication
GitHub uses OAuth 2.0 for authentication. When you connect, you’ll be redirected to GitHub to authorize LowerPlane.Required Permissions (OAuth Scopes)
| Scope | What It Grants | Why LowerPlane Needs It |
|---|---|---|
repo | Read repository metadata and branch protection | GitHub’s classic OAuth requires this scope to read branch protection settings on private repositories. LowerPlane does not read code contents. |
read:org | Read organization membership and teams | List organization members for access reviews and offboarding checks |
admin:org | Read organization settings | Required to check if org-level MFA enforcement is enabled and to filter members by 2FA status |
user:email | Read authenticated user’s email | Identify the connecting user account |
What LowerPlane Collects
Repository Metadata
Name, visibility, language, default branch, open PR count, contributor count
Branch Protection
Required reviews, status checks, admin enforcement, stale review dismissal
Organization Members
Member list with MFA/2FA status for access reviews
Security Alerts
Dependabot vulnerability alert status per repository
Security Tests
LowerPlane runs 9 automated tests against your GitHub organization:| Test | Severity | Applies To |
|---|---|---|
| Code repo should be classified | Critical | Each repository |
| Github org level MFA should be enforced | Critical | Organization |
| Github user should have MFA enabled | Critical | Each member |
| Dependabot vulnerability scan should be enabled | Medium | Each repository |
| Code changes should be reviewed by peers before merging | High | Each repository |
| Merging of code changes should require passing status-checks | High | Each repository |
| Branch Protection rules should be enforced | High | Each repository |
| Stale pull request reviews should be dismissed on new commits | Medium | Each repository |
| Github access should be removed for offboarded user | Critical | Each member |
Repository Classification
After connecting, all synced repositories appear in Operations > Repositories. Each repository must be classified:- Production — All security tests are enforced. Branch protection, peer review, and status checks must be configured.
- Non-production — Automatically marked as compliant. No security checks required.
Connecting
Navigate to Integrations
Go to Settings > Integrations and find GitHub in the Developer Tools category.
Authorize
Review the requested permissions and click Authorize. You must be an organization owner or admin.
Data Access
| Data Type | Access |
|---|---|
| Repository metadata | Read |
| Branch protection rules | Read |
| Organization members | Read |
| Member MFA status | Read |
| Source code / file contents | No access |
| Commit history / diffs | No access |
| Issues / discussions | No access |