Connect GitHub
Attest the controls anonymous reads can't see
Branch protection, vulnerability-alert state, and code-scanning visibility are admin-only. Install ControlFrame's read-only GitHub App on your org and every scan mints a fresh, one-hour installation token to read them — never a personal access token, never write access, never source contents.
A GitHub App is not yet configured on this deployment. Anonymous and PAT-scoped scans still work for public posture; admin-scoped signals require the App.
github.com/
What the App reads — and only this
Default-branch protection rules
Dependency vulnerability-alert state
Code-scanning / CodeQL alert visibility
Repository administration (read-only)
Least-privilege, read-only metadata. No write scopes, no source-content read. Each scan mints a fresh installation token that expires in one hour and is never persisted — it only widens what the collector can observe, and is never in the evidence trust path.