GitHub Sensor User Guide

Instructions for deploying the GitHub Sensor to scan for cryptographic assets and deliver findings to the AgileSec Platform for processing and analysis.

Overview

The GitHub Sensor integrates GitHub (GitHub Cloud or GitHub Enterprise) with Keyfactor's AgileSec Platform. This Sensor allows you to discover, inventory, and analyze cryptographic assets across multiple repositories within a GitHub organization.

What Gets Scanned

The GitHub Sensor downloads target repositories from GitHub and scans for use of cryptography algorithms and libraries in source code. The following cryptographic assets can be discovered:

  • X.509 Certificates: SSL/TLS certificates, code signing certificates, client authentication certificates

  • Keys: RSA, DSA, EC asymmetric public keys in PEM, DER, and PKCS8 formats as well as unencrypted private keys

  • Java Keystores: JKS, JCEKS, PKCS12 keystores

  • Tokens: JWT and JWE tokens

  • Cryptographic Libraries: OpenSSL, BouncyCastle, cryptography.io, and other crypto implementations

  • Code Artifacts: Embedded certificates in compiled code (JAR, WAR, EAR files)

Prerequisites

Ensure you meet the following requirements to enable scanning.

Network Access

Ensure HTTPS network connectivity from AgileSec platform or remote execution machine to the GitHub server.

GitHub REST API must be accessible.

Supported Authentication Methods

The GitHub Sensor supports token-based authentication.

Generate a Fine-Grained Personal Access Token
  1. Log in to GitHub.

  2. Go to SettingsDeveloper settingsPersonal access tokensFine-grained tokens (or navigate to https://github.com/settings/personal-access-tokens/new.

  3. Click Generate new token.

  4. Configure the token:

    • Token name: A descriptive name (e.g., "AgileSec Scanner")

    • Expiration: Set an appropriate expiration

    • Repository access: Select All repositories (or specific repos if preferred)

    • Permissions: Under Repository permissions, set:

      • ContentsRead-only

      • MetadataRead-only

        github-token.png
  5. Click Generate token.

  6. Copy the token immediately - it will only be shown once.

  7. Store the token securely.

  8. Verify the token works:

Bash
  # set your token
  export GITHUB_TOKEN="your-token-here"
  export GITHUB_URL="https://api.github.com"  # or your enterprise URL

  git clone https://oauth2:<token>@github.com/org/repo.git

GitHub Required Access Rights

The GitHub access token must have the following permissions to successfully authenticate:

Permission

Scope

Purpose

Contents

Read Only

Required for downloading repository

Metadata

Read-only

Required for enumerating repositories

Remote Execution Requirements

If running the Sensor remotely using CLI, the remote execution machine must meet these requirements:

Component

Requirement

Operating System

  • Linux (x86_64, x86_64): Ubuntu 18.04+, RHEL 9+, CentOS 8+, Debian 10+

RAM

3 GB minimum, 4 GB recommended for large repositories.

Disk Space

Minimum 2x size of your repository.

Permissions

Read/write access to remote sensor working directory (remote sensor install location)


Running the Sensor

AgileSec GitHub scans can be executed using the following methods:

  1. Platform Scan Execution: Configure and execute scans directly through the Keyfactor AgileSec web UI with on-demand or scheduled execution options.

  2. API Scan Execution: Programmatically trigger scans through REST API calls, enabling integration with CI/CD pipelines and automation workflows.

  3. Remote Scan Execution: Deploy and run the sensor via CLI on customer-managed infrastructure for scenarios such as:

    1. Scanning air-gapped or internal instances the platform cannot directly reach

    2. Customers wanting to manage their own scheduling and execution environment.

Refer to Scan Execution Flows for additional scan execution information.

Configuration Fields

The following parameters are used to configure AgileSec GitHub scans.

Field Name

UI Display Name

Type

Required

Description

url

GitHub API Base URL

String

❌ No

Only specify this field if self-hosting a GitHub Enterprise Server instance.

For self-hosted instances, use your GitHub Enterprise API URL (e.g., https://github.company.com/api/v3 )

For non-self-hosted, leave blank. Defaults to https://api.github.com .

token

Authentication Token

String

✅ Yes

Authentication token for scanning private repos as configured in prerequisites.

branch

Branch

String

❌ No

Branch to scan.

Glob patterns are accepted for multi-branch selection.

Default: default branch

include_paths

Accepted Paths

List of Strings

✅ Yes

Repositories to include.

Glob patterns are supported.

Expected format is workspace/glob.

Examples:

All repositories in workspace “bcgit”:
bcgit/* 

Repositories starting with "bc":
bcgit/bc-*

Specific repository “bcgit/bc-java”:
bcgit/bc-java 

exclude_paths

Excluded Paths

List of Strings

❌ No

Repositories to exclude from the included set.

Glob patterns are supported.

Expected format is workspace/glob.

proactive_throttle_threshold

Rate-Limit Quota Pause Threshold

Number

❌ No

Preemptively sleep until rate-limits reset when remaining budget falls below this floor.

Raise if many Connector instances share one PAT.

Defaults to 10.

max_retry_elapsed_seconds

Max Rate-Limit Wait

Number

❌ No

When a rate limit error occurs, the total time in seconds for a single REST call to retry before system will stop and officially throw an error.

Defaults to 3600 seconds (60 minutes).

incrementalScan

Incremental Scan

Boolean

✅ Yes

Note: for Platform Scan Executions via UI, incremental scan defaults to Yes.

Enable to scan only updates since last run. See Incremental Scanning.

autoResolutionInterval

Auto-Resolution Interval

Number

✅ Yes


Only used when incrementalScanis enabled. Number of incremental scans to perform before running a full scan. See Incremental Scanning.

Platform Scan Execution

Running scans through the user interface is the simplest and fastest way to get started. The platform enables running on-demand or scheduled scans in a dedicated environment.

Platform Scan Configuration

  1. Open your browser and navigate to the Keyfactor AgileSec Platform Web URL

  2. Log in with your credentials

  3. Click on "Sensors" in the left navigation menu under Scan

    image-20260616-210209.png
  4. Click "+ New Sensor".

    image-20260616-210325.png
  5. Click on the correct card to open the configuration interface.

Configure Parameters and Start Scan
  1. Fill in the required configuration parameters.

  2. Click Save.

  3. Click Action then Scan to begin a scan.
    Note: Click Edit to reconfigure parameters.

    image-20260616-214857.png

API Scan Execution

Scans may be programmatically triggered through REST API calls, enabling seamless integration with CI/CD pipelines, automation workflows, and custom applications. API execution provides flexibility for developers to incorporate cryptographic scanning into their existing development and deployment processes.

Note: For complete API reference, see API.

Generate AgileSec API Access Token

  1. Open your browser and navigate to AgileSec Platform UI

  2. Log in with your Keyfactor credentials

  3. Click "Access Tokens" in the main navigation menu

  4. Click "Generate Token" button

  5. Set Token Type to API Token and provide the required details

  6. Click "Generate" and copy the generated token

    image-20260616-212437.png

AgileSec API Endpoint

POST https://<platform-url>/v3/scan/create/

Request Format

Headers
Content-Type: application/json
isg-api-token: <your-api-token>
Request Body
JSON
  {
    "sensorName": "<sensor name>",
    "sensorType": "Github Sensor",
    "sensorConfig": {
       "url": "<github api url>",
       "branch": "<branch name>",
       "token": "<personal access token>",
       "include_paths": "<include patterns>",
       "exclude_paths": "<exclude patterns>"
    },
    "callbackId": "<callback id>",
    "labels": [
        {
            "<label name>": "<label value>"
        }
    ],
    "priority": "<priority>",
    "incrementalScan": true,
    "autoResolutionInterval": 5
  }

Remote Scan Execution

Scans may be run on remote host machines with the AgileSec Remote Sensor Package.

Download Remote Sensor Package
Generate Platform Token
  1. In the Download Remote UI, click "Generate Token"

  2. Copy the generated token

  3. Store securely in an environment variable such as SENSOR_TOKEN:

     export SENSOR_TOKEN="your-generated-token"
    
Create Configuration File

Create a YAML configuration file (e.g., github-config.yml) with your scan settings. An example configuration can be found in config/sample-configs/github.yml.

Step 4: Run the Sensor

Execute the Sensor with your configuration file:

  • Linux

    Bash
    # Set environment variables
    export SENSOR_TOKEN="your-sensor-token"
    export GITHUB_TOKEN="your-github-token"
    
    # Run Sensor
    ./unified_sensor_linux -c github-config.yml
    

Remote Scan Execution Configuration Examples

  • GitHub Enterprise (With Auth)

    YAML
    scan_config:
      plugins:
        - isg_github
        - trigger_discover
        - export
      config:
        isg_github:
          name: github
          plugin_config:
            url: "<https://github.mycompany.com>"
            token: "${env:GITHUB_TOKEN}"
            include_paths:
              - "internal-team"
            exclude_paths:
              - "internal-team/archived-*"
    
  • Scan Specific Branch

    YAML
    scan_config:
      plugins:
        - isg_github
        - trigger_discover
        - export
      config:
        isg_github:
          name: github
          plugin_config:
            url: "<https://github.com>"
            token: "${env:GITHUB_TOKEN}"
            branch: "develop"
            include_paths:
              - "myorg/myrepo"
    

Known Limitations

Rate Limiting

GitHub enforces API rate limits. Large organizations with many repositories may hit rate limits. Always use a Personal Access Token; usually that has higher limits. Also, for individual repositories you can use the Git Sensor.

Binary Files

While the Sensor scans files, opaque binary blobs without recognized headers may not be deeply analyzed.

Troubleshooting Common Errors

  • repository not found (404)

    • Cause: The URL is incorrect, OR the credentials provided do not have access to the private repository.

    • Fix: Check the URL.

  • authentication failed (401)

    • Cause: Invalid credentials.

    • Fix: Verify the credentials are correct by testing with a manual git clone command.

  • unable to access (402/Connection Refused)

    • Cause: Network connectivity issue.

    • Fix: Ensure the machine running the Sensor can reach the GitHub server URL. Check firewalls and proxies.

  • could not find remote branch

    • Cause: The specified branch does not exist on the remote.

    • Fix: Verify the branch name matches exactly (case-sensitive).

Getting Support

Collect diagnostic information:

  • Sensor version

  • Configuration file (redact tokens)

  • Log output

  • GitHub details (cloud vs enterprise, URL, version)

Contact Support