GitHub Sensor User Guide

The GitHub Sensor User Guide provides instructions for deploying and operating the GitHub Sensor within the Keyfactor AgileSec Platform. This guide covers supported authentication methods, execution methods, configuration options, and troubleshooting.

Refer to Sensors Architecture and Overview for additional details on sensor architecture, data flows, incremental scanning, and auto-resolution.

Overview

The GitHub Sensor integrates GitHub (GitHub Cloud or GitHub Enterprise) with Keyfactor's AgileSec Platform. This sensor allows you to discover, inventory, and analyze cryptographic assets across multiple repositories within a GitHub organization.

Key Features

Organization-Wide Scanning: Scan all repositories in a GitHub organization in a single execution.
Flexible Filtering: Use glob patterns to include or exclude specific repositories.
Deep Cryptographic Discovery: Automatically identifies certificates, private keys, keystores, and cryptographic libraries embedded in source code.
Incremental Scanning: Efficiently scans only new or modified files in subsequent runs.

What Gets Scanned

The sensor downloads repository archives from GitHub and analyzes all files to discover:

X.509 Certificates: SSL/TLS certificates, code signing certificates, client authentication certificates
Private Keys: RSA, DSA, EC private keys in PEM, DER, and PKCS8 formats
Java Keystores: JKS, JCEKS, PKCS12 keystores
Tokens: JWT and JWE tokens
Cryptographic Libraries: OpenSSL, BouncyCastle, http://cryptography.io , and other crypto implementations
Code Artifacts: Embedded certificates in compiled code (JAR, WAR, EAR files)

Prerequisites

GitHub Requirements

Requirement	Details
Protocol	HTTPS required for API access.
Access	Network connectivity from the sensor machine to the GitHub server.
API Access	GitHub REST API must be accessible.

Remote Execution Requirements

If running the unified sensor remotely using CLI:

Component	Requirement
Operating System	Linux (x86_64, x86_64): Ubuntu 18.04+, RHEL 9+, CentOS 8+, Debian 10+ Windows (x64): Windows Server 2016+, Windows 10+ macOS (Intel, Apple Silicon): macOS 10.15+
RAM	3 GB minimum, 4 GB recommended for large repositories
Disk Space	Minimum 2x Size of your repository.
Permissions	Read/Write access to working directory

Supported Authentication Methods

GitHub Sensor supports token-based authentication.

Step 1: Generate a Fine-Grained Personal Access Token

Log in to GitHub.
Go to Settings → Developer settings → Personal access tokens → Fine-grained tokens (or navigate to https://github.com/settings/personal-access-tokens/new.
Click Generate new token.
Configure the token:
- Token name: A descriptive name (e.g., "AgileSec Scanner")
- Expiration: Set an appropriate expiration
- Repository access: Select All repositories (or specific repos if preferred)
- Permissions: Under Repository permissions, set:
  - Contents → Read-only
  - Metadata → Read-only
Click Generate token.
Copy the token immediately - it will only be shown once.
Store the token securely.

Step 2: Verify Token

Test the token to ensure it works:

BASH

  # set your token
  export GITHUB_TOKEN="your-token-here"
  export GITHUB_URL="https://api.github.com"  # or your enterprise URL

  git clone https://oauth2:<token>@github.com/org/repo.git

Required Access Rights

The GitHub access token must have the following permissions to successfully authenticate:

Permission	Scope	Purpose	Required
Contents	Read Only	required for downloading repository	✅ Yes
Metadata	Read-only	required for enumerating repositories	✅ Yes

Running the Sensor

The GitHub sensor can be executed using the following methods:

Platform Scan Execution: Configure and execute scans directly though the Keyfactor AgileSec web UI with on-demand or scheduled execution options.
Using API: Programmatically trigger scans through REST API calls, enabling integration with CI/CD pipelines and automation workflows.
Remote Scan Execution: Deploy and run the sensor via CLI on customer-managed infrastructure for scenarios such as:
1. Scanning air-gapped or internal instances the platform cannot directly reach
2. Customers wanting to manage their own scheduling and execution environment.

Refer to Sensors Architecture and Overview: Running the Sensor for additional execution and flow details.

Platform Scan Execution

Running the sensor through the user interface is the simplest and fastest way to get started. The platform enables running on-demand or scheduled scans in a dedicated environment.

Platform Scan Configuration

Step 1: Navigate to Sensors Setup Page

1.1 Open your browser and navigate to the Keyfactor AgileSec Platform Web URL

1.2 Log in with your credentials

1.3 Click on "Sensors" in the navigation bar.

Step 2: Select GitHub Sensor

2.1 Click the "Choose a Sensor" button.

2.2 Browse or search for "GitHub".

2.3 Click on the GitHub sensor card

This will open the sensor configuration interface.

Step 3: Configure Sensor Parameters

3.1 Fill in the required configuration parameters:

Platform Scan Configuration Fields

Field Name	Display Name	Type	Required	Description
`url`	GitHub API Base URL	Single-line text	❌ No	Only specify this field if self-hosting a GitHub Enterprise Server instance. For http://GitHub.com , leave blank (defaults to https://api.github.com ). For self-hosted instances, use your GitHub Enterprise API URL (e.g., https://github.company.com/api/v3 )
`token`	Authentication Token	Password field	❌ No	Required for scanning private repos. Requires `Contents` read permission
`branch`	Branch	Single-line text	❌ No	Branch to scan (if not specified, default branch is inferred)
`include_paths`	Accepted Paths	Multiple values	✅ Yes	Glob patterns for repositories to include in organization_name/glob format. Examples: bcgit/* (all repositories in the bcgit organization) bcgit/bc-* (repositories starting with "bc-") bcgit/bc-java (specific repository)
`exclude_paths`	Excluded Paths	Multiple values	❌ No	Glob patterns for repositories to exclude from the included set. Utilizes the same format as `include_paths`
`incrementalScan`	Incremental Scan	Boolean	✅ Yes	Enable to scan only updates since last run. See Incremental Scanning
`autoResolutionInterval`	Auto-Resolution Interval	Number	✅ Yes	Number of incremental scans to perform before running a full scan. See Incremental Scanning for details. Only used with incremental scan.

Scan Execution Using API

Scans may be programmatically triggered through REST API calls, enabling seamless integration with CI/CD pipelines, automation workflows, and custom applications. API execution provides flexibility for developers to incorporate cryptographic scanning into their existing development and deployment processes.

Note: For complete API reference, see the API document.

API Access Token

Open your browser and navigate to the AgileSec Platform UI.
Log in with your Keyfactor credentials.
Click "Access Tokens" in the main navigation menu.
Click "Generate Token".
Set Token Type to API Token and provide the required details.
Click "Generate" and copy the generated token.

API Endpoint

CODE

POST https://<platform-url>/v3/scan/create

Request Format

Headers

CODE

Content-Type: application/json
isg-api-token: <your-api-token>

Request Body

The complete request body contains sensor configuration in the sensorConfig field, i.e:

JSON

  {
    "sensorName": "<sensor name>",
    "sensorType": "Github Sensor",
    "sensorConfig": {
       "url": "<github api url>",
       "branch": "<branch name>",
       "token": "<personal access token>",
       "include_paths": "<include patterns>",
       "exclude_paths": "<exclude patterns>"
    },
    "callbackId": "<callback id>",
    "labels": [
        {
            "<label name>": "<label value>"
        }
    ],
    "priority": "<priority>",
    "incrementalScan": true,
    "autoResolutionInterval": 5
  }

API Field Descriptions

See Platform Scan Configuration Fields.

Remote Scan Execution

Remote Execution Flow allows you to run the sensor on a host using the Unified Sensor binary.

Remote Scan Execution Configuration

Step 1: Download Unified Sensor

1.1 Navigate to AgileSec Platform UI → Sensors → Remote Scan.

1.2 Download the sensor binary for your operating system.

Step 2: Generate Remote Sensor Token

2.1 In the Remote Scan UI, click "Generate Token".

2.2 Copy the generated token.

2.3 Store the token securely in an environment variable or set it in the sensor config:

BASH

  export SENSOR_TOKEN="your-generated-token"

Step 3: Create Configuration File

Create a YAML configuration file (e.g., github-config.yml) with your scan settings. An example configuration can be found in config/sample-configs/github.yml.

Step 4: Run the Sensor

Execute the sensor with your configuration file:

Linux/macOS

BASH

# Set environment variables
export SENSOR_TOKEN="your-sensor-token"
export GITHUB_TOKEN="your-github-token"

# Run sensor
./unified_sensor_linux -c github-config.yml

Windows (PowerShell)

POWERSHELL

# Set environment variables
$env:SENSOR_TOKEN = "your-sensor-token"
$env:GITHUB_TOKEN = "your-github-token"

# Run sensor
.\\unified_sensor_windows.exe -c .\\github-config.yml

Remote Scan Execution Configuration Examples

Scan All Repos in an Org (Public)

YAML

scan_config:
  plugins:
    - isg_github
    - trigger_discover
    - export
  config:
    isg_github:
      name: github
      plugin_config:
        include_paths:
          - "myorg" # Equivalent to "myorg/**"

GitHub Enterprise (With Auth)

YAML

scan_config:
  plugins:
    - isg_github
    - trigger_discover
    - export
  config:
    isg_github:
      name: github
      plugin_config:
        url: "<https://github.mycompany.com>"
        token: "${env:GITHUB_TOKEN}"
        include_paths:
          - "internal-team"
        exclude_paths:
          - "internal-team/archived-*"

Scan Specific Branch

YAML

scan_config:
  plugins:
    - isg_github
    - trigger_discover
    - export
  config:
    isg_github:
      name: github
      plugin_config:
        url: "<https://github.com>"
        token: "${env:GITHUB_TOKEN}"
        branch: "develop"
        include_paths:
          - "myorg/myrepo"

Known Limitations

Rate Limiting

Description: GitHub enforces API rate limits.
Impact: Large organizations with many repositories may hit rate limits.
Workaround: Always use a Personal Access Token; usually that has higher limits. Also, for individual repositories you can use the Git Sensor.

Binary Files

Description: While the sensor scans files, opaque binary blobs without recognized headers may not be deeply analyzed.

Troubleshooting

Common Errors

repository not found (404)
- Cause: The URL is incorrect, OR the credentials provided do not have access to the private repository.
- Fix: Check the URL.
authentication failed (401)
- Cause: Invalid credentials.
- Fix: Verify the credentials are correct by testing with a manual git clone command.
unable to access (402/Connection Refused)
- Cause: Network connectivity issue.
- Fix: Ensure the machine running the sensor can reach the GitHub server URL. Check firewalls and proxies.
could not find remote branch
- Cause: The specified branch does not exist on the remote.
- Fix: Verify the branch name matches exactly (case-sensitive).

Getting Support

Collect diagnostic information:

Sensor version
Configuration file (redact tokens)
Log output
GitHub details (cloud vs enterprise, URL, version)

Contact Support:

Portal: https://support.keyfactor.com