Obsidian
Back to site Book a demo

Connect GitHub repositories

Connect repositories so Obsidian can discover and scan them. Once a repository is connected, the API enqueues a discovery job that your scanner node claims and runs — clone credentials are job-scoped, so a node only ever sees what it needs for that job.

Pick the mode that matches your repositories.

Public repository (no auth)

The quickest path. In the dashboard, add a public repository by URL. The host must be in CRYPTO_DISCOVERY_GITHUB_ALLOWED_HOSTS (defaults to github.com). Obsidian selects the repository for discovery and, when a live scanner node is available, enqueues an immediate discovery job — so a public repo is scanned automatically right after you add it.

GitHub App (private repositories, at scale)

A GitHub App is the recommended way to reach private repositories. Set these on the API:

  • CRYPTO_DISCOVERY_PUBLIC_BASE_URL — your public web origin, for the App setup redirect.
  • CRYPTO_DISCOVERY_GITHUB_APP_ID and CRYPTO_DISCOVERY_GITHUB_APP_SLUG.
  • CRYPTO_DISCOVERY_GITHUB_APP_PRIVATE_KEY_PATH (or …_PEM for an inline key).

Install the App on the organizations or repositories you want to scan. Obsidian validates the setup, then uses short-lived installation tokens to clone — no long-lived secrets are stored.

Fine-grained PAT (a few private repositories)

For a small number of private repositories, connect a fine-grained personal access token. This requires CRYPTO_DISCOVERY_SECRET_KEY so the token can be encrypted at rest. Paste the PAT in the dashboard; Obsidian validates it before storing it.

After connecting

Discovery jobs run on your scanner node — the bundled Docker node, or any node you registered (see Deploy with Docker). Results land in the dashboard; see Read the dashboard. All GitHub settings are in Configuration.