GitHub Connector
The GitHub connector syncs organization members, teams, and repository permissions from your GitHub organization.
What Gets Synced
- Organization Members - Users with access to your organization
- Teams - Team structure and memberships
- Repositories - Repository metadata
- Permissions - Team and individual access levels to repositories
Prerequisites
- GitHub organization (personal accounts not supported)
- Personal access token with appropriate scopes
Required Permissions
Create a personal access token with these scopes:
Classic Tokens
read:org- Read org and team membershiprepo- Access repository information (orpublic_repofor public repos only)
Fine-Grained Tokens (Recommended)
- Organization permissions:
- Members: Read-only
- Administration: Read-only (optional, for SCIM email lookup)
- Repository permissions:
- Metadata: Read-only
- Administration: Read-only
Setup Instructions
Step 1: Create a Personal Access Token
Classic Token:
- Go to GitHub → Settings → Developer settings → Personal access tokens → Tokens (classic)
- Click "Generate new token (classic)"
- Select scopes:
read:org,repo(orpublic_repo) - Generate and copy the token
Fine-Grained Token:
- Go to GitHub → Settings → Developer settings → Personal access tokens → Fine-grained tokens
- Click "Generate new token"
- Select your organization as the resource owner
- Grant permissions:
- Organization: Members (Read-only)
- Repository: Metadata (Read-only)
- Generate and copy the token
Step 2: Get Your Organization Name
Your organization name is in the URL: https://github.com/ORG-NAME
Step 3: Configure in Open-SSPM
- Open Open-SSPM web UI
- Go to Settings → Connectors
- Click "Configure" on the GitHub card
- Enter:
- Organization: your org name (e.g.,
acme-corp) - Token: the personal access token
- Enable SCIM Lookup: toggle on (optional, see below)
- Organization: your org name (e.g.,
- Click "Save"
SCIM Email Lookup
GitHub organization members may not have public email addresses. Enable SCIM lookup to:
- Query your IdP (Okta/Azure AD) for user emails
- Improve identity matching accuracy
- Link more GitHub accounts to identities
Requirements:
- GitHub organization must have SCIM provisioning enabled
- Your IdP must be configured for GitHub provisioning
Connector Settings
| Setting | Required | Description |
|---|---|---|
| Organization | Yes | GitHub organization name |
| Token | Yes | Personal access token |
| Enable SCIM Lookup | No | Look up emails via SCIM API |
Environment Variables
Override the sync interval:
bash
SYNC_GITHUB_INTERVAL=30mAdjust concurrent workers (GitHub has aggressive rate limits):
bash
SYNC_GITHUB_WORKERS=6Troubleshooting
"Not Found" error
- Verify the organization name is correct (case-sensitive)
- Ensure the token has access to the organization
"Bad credentials" error
- Token may be expired or revoked
- Generate a new token and update the connector
Rate limiting
GitHub has strict rate limits (5,000 requests/hour for classic tokens). If you hit limits:
- Increase sync interval:
SYNC_GITHUB_INTERVAL=60m - Reduce worker count:
SYNC_GITHUB_WORKERS=1 - Use fine-grained tokens (may have higher limits)
Missing repositories
- Check if repositories are private and token has
reposcope - Verify the organization member has access to those repositories
Missing member emails
- GitHub users may not have public emails
- Enable SCIM lookup if your org uses SCIM provisioning
- Manually link unmatched accounts in the UI
Data Retention
- Member and team data updates with each sync
- Repository permissions reflect current state
- Historical permission changes are not tracked
Security Best Practices
- Use fine-grained tokens - More secure than classic tokens
- Minimal permissions - Only request read access
- Token rotation - Regenerate tokens periodically
- Dedicated account - Consider using a service account (not a personal account)
- Monitor token usage - Review GitHub security logs
GitHub Enterprise Server
For GitHub Enterprise Server (self-hosted), set the API base URL:
API Base URL: https://your-ghe-server.com/api/v3Leave blank for GitHub.com (default: https://api.github.com).
Next Steps
After configuring GitHub:
- Run initial sync
- Review organization members in Identities
- Check which users have access to which repositories
- Link any unmatched GitHub accounts to identities