Integrating with GitHub
Overview
Jit's GitHub integration enables you to:
- Scan your monitored repositories' default branches for security vulnerabilities and remediate them.
- Perform change-based scans of developers’ PRs (in monitored repositories) for high-severity security vulnerabilities, view explanations of any discovered vulnerabilities, and initiate automated remediations.
- Configure other product/service integrations as code — for cloud, web apps and API security scanning and for 3rd party workflows (e.g. Slack and Jira).
- Run Jit code security scans directly in GitHub using GitHub Actions.
Requirements
When installed, the Jit GitHub app receives the following permissions in GitHub:
- Write access to dedicated Jit files— Allows Jit to manage Jit files on your repositories.
- Read access to administration, code, issues, and metadata— Allows Jit to read the code on monitored repositories.
- Read and write access to actions, checks, pull requests, and workflows— Allows Jit to trigger workflows, create and update PR checks, create and update pull requests, and modify workflow files.
- Read and write access to content— Allows Jit to detect vulnerabilities in code and open remediation PRs (on a new branch).
- Read access to members — Allows Jit to verify that only members of your organization can log into the Jit platform.
- (Required only for future features) Read and write access to deployment— Allows Jit to run security requirements on new deployments and block deployments based on security findings.
As part of the onboarding/installing steps below, you will be asked to select one of your repositories (you can use an existing repository or create a new one) to contain Jit's primary configuration files—
selected_repo/.github/workflows/jit-security.yml
(GitHub Actions)selected_repo/.jit
(Jit security-as-code configuration)
This architecture enables security scanning within your GitHub organization, and enables you to modify your security configuration as code.
You must select a repository that is not under branch protection. Installation of the Jit GitHub application requires owner approval. GitHub integration is not possible if no repositories are present.
Integration Steps
Step 1: Get started at GitHub Marketplace
- Navigate to jit.io and select Start Free.
- Select GitHub to navigate to the Authorize Jit login dialog in GitHub.
- Select Authorize jitsecurity.

1. Start Free

2. GitHub

3. Authorize jitsecurity
Step 2: Complete the Getting Started wizard
- Select Let's Start to continue.
- Select Install to navigate to the Install Jit CI dialog in GitHub.
- Select Install.
- Jit recommends selecting All repositories. Repositories can later be excluded from the product security plan if you do not wish to protect them with Jit. Furthermore, with the selection of All repositories, newly created repositories will be automatically protected by Jit.
- If you are not logged in to GitHub as the organization owner, this dialog presents a Request rather than an Install option. Select Request to send a notification email to the GitHub organization owners. This email contains a link to this page, where the owner may complete installation by selecting Install. The onboarding wizard remains in a waiting state until the installation is complete. Your progress in the onboarding process is preserved, even if you log out of the Jit platform.
- Select Next.
- Select your dedicated repository from the dropdown.
- Select Start Monitoring.
Success!
Jit automatically activates the Scan Code for Hard-Coded Secrets security requirement on your selected repository and creates a hello world pull request. You can view this process in action on the Pipelines Page, where you have the additional option to create a test pull request containing a secret in order to verify detection accuracy.
If you have third-party products/services you would like to integrate with Jit (such as Slack or AWS) proceed to Integrating With Third-Party Products and Services. Otherwise, continue to My Plan to activate your security requirements.
For instructions on configuring dependency scanning within monorepos, see Monorepo Support.

1. Let's Start

2. Install

3. Install

4. Next

5. Select a repository

6. Start Monitoring
Updated 2 months ago