Skip to main content

Overview

The GitHub integration connects Matproof to your GitHub organization and automatically collects evidence for controls related to code security, access management, and change management. Once connected, evidence is collected continuously — no manual uploads needed. Evidence collected automatically:
  • Branch protection rules (require PR reviews, status checks, signed commits)
  • Repository access lists and permission levels
  • Dependabot alert status and vulnerability remediation
  • Code review records (PRs merged without review flagged)
  • GitHub Actions workflow security settings
  • Organization-level MFA enforcement status
  • Outside collaborators and their access levels

Prerequisites

  • GitHub organization account (GitHub Free, Team, or Enterprise)
  • Matproof Admin or Owner role
  • GitHub organization owner permissions (required to authorize the OAuth app)

Connecting GitHub

  1. Go to Settings → Integrations
  2. Click Connect next to GitHub
  3. You will be redirected to GitHub to authorize the Matproof OAuth app
  4. Select your GitHub organization
  5. Grant the requested permissions (read-only access to organization data)
  6. You will be redirected back to Matproof — the integration status will show Connected
The first evidence sync runs immediately after connection. Subsequent syncs run every 24 hours.
Matproof requests read-only access to your GitHub organization. It cannot create, modify, or delete any repositories, code, or settings.

What Gets Mapped to Which Controls

Evidence CollectedControl Examples
Branch protection rules enabledChange management controls (SOC 2 CC8, ISO 27001 A.8.32)
PR review required before mergeCode review controls
MFA enforced for all membersAccess control / MFA controls (SOC 2 CC6, DORA Art. 9)
Dependabot alerts resolved within SLAVulnerability management controls
No outside collaborators with write accessThird-party access controls
Signed commits requiredCode integrity controls

Interpreting the Evidence

After the first sync, go to Integrations → GitHub → Evidence to see what was collected. Each item shows:
  • Status — Pass / Fail / Warning
  • Control — which control this evidence maps to
  • Last checked — when the check last ran
  • Detail — the raw finding (e.g., “Branch protection not enabled on main in repo backend”)
Failing items are surfaced as control gaps and appear on your compliance dashboard.

Common Issues

”Some repositories are not being scanned”

By default, Matproof scans all repositories in your organization. If you have private repositories that are not appearing, check that the GitHub OAuth app was authorized with access to all repositories (not just selected ones). To update: go to GitHub → Settings → Applications → Matproof → Repository access → change to “All repositories”.

”Branch protection check is failing but we have protection enabled”

Matproof checks for specific branch protection settings. A protection rule that only blocks force pushes will still fail the “require PR review” check. Review which specific settings are required under Integrations → GitHub → Evidence → [failing check] → Required settings.

”MFA enforcement shows as failing for some members”

GitHub reports MFA status at the organization level. Members who joined before you enabled MFA enforcement but haven’t yet enabled it will show as non-compliant. The integration surfaces this so you can follow up — it is intentional behavior, not a bug.

Disconnecting

Go to Settings → Integrations → GitHub → Disconnect. This removes the connection and stops evidence collection. Previously collected evidence is retained. Also revoke the Matproof OAuth app from your GitHub organization settings under Settings → Third-party Access.