Setting up a GitHub Integration

The GitHub integration supports two authentication methods: Personal Access Token (PAT) and GitHub App. Choose the method that best aligns with your organization’s security requirements.

Prerequisites

A CloudQuery Platform account with admin access
A GitHub account with access to the repositories or organizations you want to sync
For GitHub App authentication: organization admin access to create and install apps

GitHub Apps have higher rate limits than personal access tokens. For organizations with many repositories, GitHub App authentication is recommended.

Personal Access Token authentication

Generate a token

Go to your GitHub account Settings
Navigate to Developer settings → Personal access tokens → Tokens (classic)
Click Generate new token and select Generate new token (classic)
Name your token (e.g. cloudquery-readonly)
Set an expiration period
Select the following scopes based on the data you want to sync:

Scope	Required for
`repo` (read-only)	Repository metadata, issues, pull requests, commits
`read:org`	Organization members, teams, settings
`read:user`	User profile information
`read:project`	GitHub Projects data
`read:packages`	GitHub Packages metadata

Click Generate token and copy the token value.

For detailed instructions, see the GitHub personal access token documentation.

Create the integration with PAT

In CloudQuery Platform, go to Data Pipelines → Integrations. Click Create Integration and type GitHub to find the GitHub integration.

Find GitHub Integration

Choose a name for your integration and set up the YAML configuration with PAT authentication:


kind: source
spec:
  name: github
  path: cloudquery/github
  registry: cloudquery
  version: "v15.1.2"
  tables:
    - github_repositories
    - github_issues
    - github_pull_requests
  spec:
    access_token: "${GITHUB_PERSONAL_ACCESS_TOKEN}"
    repos:
      - "<YOUR_ORG>/<YOUR_REPO>"

Add a new secret with Key GITHUB_PERSONAL_ACCESS_TOKEN and paste your token as the Value.

GitHub integration secrets section with a personal access token key-value pair configured

Click Test Connection to verify the setup.

GitHub App authentication

Create a GitHub App

GitHub App authentication provides higher rate limits and fine-grained permissions. For detailed setup instructions, see the GitHub App registration documentation.

Go to your Organization Settings → Developer settings → GitHub Apps → New GitHub App
Configure the app:
- Set a name (e.g. CloudQuery Integration)
- Set the homepage URL to your organization’s URL
- Deselect Webhook (not needed)
- Under Permissions, grant read-only access to the resources you want to sync (e.g., Repository: Contents, Issues, Pull requests, Metadata; Organization: Members)
Click Create GitHub App
On the app settings page, note the App ID
Scroll down to Private keys and click Generate a private key. This downloads a .pem file.
Go to Install App in the left sidebar and install it on your organization. Note the Installation ID from the URL (e.g., https://github.com/settings/installations/<INSTALLATION_ID>)

For a full list of permissions required per resource type, see the GitHub App permissions reference.

Create the integration with GitHub App

In CloudQuery Platform, go to Data Pipelines → Integrations. Click Create Integration and type GitHub to find the GitHub integration.
Choose a name and set up the YAML configuration with App authentication:


kind: source
spec:
  name: github
  path: cloudquery/github
  registry: cloudquery
  version: "v15.1.2"
  tables:
    - github_repositories
    - github_issues
    - github_pull_requests
  spec:
    app_auth:
      - org: <YOUR_ORGANIZATION>
        app_id: "<YOUR_APP_ID>"
        installation_id: "<YOUR_INSTALLATION_ID>"
        private_key: |
          ${GITHUB_APP_PRIVATE_KEY}

Add a new secret with Key GITHUB_APP_PRIVATE_KEY and paste the entire contents of the .pem file as the Value.

GitHub App integration YAML configuration with credential fields

The tables list above is an example. Customize it to include the tables you need. See the GitHub integration tables for the full list.

Click Test Connection to verify the setup.

What gets synced

The GitHub integration syncs repository, organization, and security data. Some of the most commonly used tables include:

Category	Tables	Description
Repositories	`github_repositories`	Repository metadata, settings, visibility
Issues & PRs	`github_issues`, `github_pull_requests`	Issues, pull requests, and their metadata
CI/CD	`github_workflow_runs`	GitHub Actions workflow run history
Security	`github_code_scanning_alerts`, `github_secret_scanning_alerts`	Code scanning and secret scanning findings
Organization	`github_organization_members_with_role`	Org members and their roles

See the full GitHub table list for all available tables.

Verify the integration

After your first sync completes, open the SQL Console and run these queries to confirm data arrived:


-- Count synced repositories
SELECT count(*) FROM github_repositories


-- List synced organizations
SELECT DISTINCT org FROM github_repositories


-- View recent issues
SELECT repository_full_name, title, state, created_at
FROM github_issues
ORDER BY created_at DESC
LIMIT 10


-- Check pull request activity
SELECT repository_full_name, title, state, created_at
FROM github_pull_requests
ORDER BY created_at DESC
LIMIT 10

You can also browse your GitHub resources in the Asset Inventory.

Troubleshooting

Issue	Cause	Fix
`401 Unauthorized`	Invalid or expired token	Generate a new PAT or rotate the GitHub App private key. Verify the secret value in CloudQuery Platform matches.
`403 Forbidden`	Insufficient token scopes	Check that the PAT has the required scopes (see the scopes table above). For GitHub Apps, verify the app has the necessary permissions.
Rate limit exceeded	Too many API requests	GitHub Apps have higher rate limits than PATs. Consider switching to GitHub App authentication. You can also reduce the number of tables or repositories synced.
`404 Not Found`	Repository or organization not accessible	Verify the `repos` or `orgs` values in the YAML match existing repositories/organizations that the token or app has access to.
No data after sync	Empty `repos` or `orgs` list	Verify the `repos` field includes at least one repository in `owner/repo` format, or use `orgs` to sync all repositories in an organization.

Next steps

Set up a sync to schedule when your GitHub data is fetched
Browse synced resources in the Asset Inventory
Run advanced queries in the SQL Console
See the GitHub integration documentation for full configuration options and table reference