Skip to main content
Connecting source control is the highest-value step: repositories appear directly in the scan flow, scans become repeatable, and remediation stays tied to real code ownership. GitHub.com is a cloud service reachable from anywhere, so no IP allowlisting is required. (Self-managed GitLab and restricted networks are different, see Network & IP allowlist.)

Connect

Gecko connects to GitHub.com through a GitHub App installation. The App grants Gecko scoped, auto-rotating access, with no personal access token to manage.
1

Start the install from Gecko

Go to Settings > Code Settings and click Connect on GitHub. Gecko redirects you to GitHub to install the Gecko App.
2

Choose repositories on GitHub

Install the App on your organization and select All repositories or a specific subset. You can change this selection in GitHub later.
3

Return to Gecko

GitHub redirects back and Gecko records the installation for your team. Selected repositories sync into the dashboard.
4

Scan

Open a repository and run a baseline scan. For pull request scanning, see PR checks.
At scan time, Gecko mints a short-lived GitHub App installation token and uses it to clone over HTTPS. Tokens are minted fresh per scan and expire automatically, so there is no long-lived credential to rotate. Gecko listens for pull_request, issue_comment, and push webhook events, verified with an X-Hub-Signature-256 HMAC signature.

Troubleshooting

Confirm the GitHub App is installed on the right organization and that the repository is included in the App’s repository selection.
Verify the base URL is reachable, the token is active, and it has the repo, read:org, and admin:repo_hook scopes.