Overview
The GitHub integration polls the GitHub Organization Audit Log API and ingests events covering:
- Repository creation, deletion, visibility changes, and pushes
- Team and member additions, removals, and role changes
- Secret scanning and code scanning alerts
- OAuth app and personal access token activity
- Branch protection and security policy changes
Prerequisites
- A GitHub organization on a plan that includes the audit log API (GitHub Enterprise Cloud or Enterprise Server).
- Permission to create a Personal Access Token (PAT) on an account that is an organization owner.
Step 1: Create a Personal Access Token in GitHub
- Sign in to GitHub with the organization owner account.
- Go to Settings → Developer settings → Personal access tokens → Tokens (classic).
- Click Generate new token (classic).
- Name it
atatus-siemand select the following scopes:read:audit_logread:org
- Click Generate token and copy the value (starts with
ghp_). It is shown only once. - If your organization enforces SSO, click Configure SSO next to the token and authorize it for the org.
Tip: For finer-grained control, use a Fine-grained personal access token scoped to the single organization with Read access to audit log.
Step 2: Connect GitHub in Atatus
- In Atatus, go to Security → Cloud SIEM → Integrations.
- Locate the GitHub card and click Connect.
- Fill in the form:
| Field | Description | Example |
|---|---|---|
| Personal Access Token | The PAT created in Step 1. | ghp_xxxxxxxxxxxxxxxxxxxx |
| Organization | GitHub organization login name. | my-org |
| Poll Interval (minutes) | How often to fetch new events. | 5 |
| Enabled | Turn collection on. | true |
- Click Connect.
Verification
- The GitHub card shows Configured.
- Audit events appear in Security → Cloud SIEM → Audit Logs → Events with source
github_audit.
+1-415-800-4104