GitHub App
A real Check Run on every pull request, with inline annotations on the lines that triggered findings. Branch-protection-aware, no YAML to maintain, and a privacy posture designed so we never see your code at rest.
Install
- Visit /github/install and click "Install on GitHub".
- Choose which repositories the App can see (all, or a specific list).
- Authorize. You'll be redirected back to your dashboard with the App linked to your account.
That's it. There's no workflow file to commit, no secrets to rotate.
What happens on every PR
When a PR opens or updates against a watched repo, the App receives the webhook, pulls the diff, scans it, and reports back as a Check Run.
- Check Run appears in the PR status list with a pass/neutral/fail conclusion.
- Inline annotations are attached to the exact lines that triggered findings — secrets, dangerous APIs, missing security headers in changed files, etc.
- Re-runs happen automatically on every push to the PR branch.
Conclusion mapping
How findings translate to the Check Run's conclusion field:
| Highest finding severity | Check conclusion | Meaning |
|---|---|---|
| Critical or High | failure | Required-status checks fail. Merge blocked if branch protection is on. |
| Medium | neutral | Visible on the PR but does not block merge. |
| Low / Info / Zero | success | Green check. PR is good to merge. |
Permissions requested
The GitHub App asks for the minimum scopes needed to do its job:
- Contents: readto fetch the diff and changed files.
- Pull requests: writeto post review summaries.
- Checks: writeto publish the Check Run and its annotations.
No write access to repository contents. No access to issues, secrets, or admin.