GH
GitHub
Provider Setup

Connect GitHub

ConfigTrace connects to a GitHub repository using a personal access token (PAT). It monitors branch protection rules, repository settings, webhooks, secrets metadata, and Actions configuration — without reading source code, commit history, or secret values.

On this page
  1. Prerequisites
  2. Step 1 — Create a personal access token
  3. Step 2 — Connect in ConfigTrace
  4. Step 3 — Run your first sync
  5. What ConfigTrace monitors
  6. What ConfigTrace never reads

Prerequisites

  • A GitHub account with at least admin access to the repository you want to monitor
  • A ConfigTrace workspace (owner or admin role)

Step 1 — Create a personal access token

  1. 1
    Open Developer settings
    Go to GitHub → Settings → Developer settings → Personal access tokens → Tokens (classic).
  2. 2
    Generate a new token
    Click "Generate new token (classic)". Give it a name like ConfigTrace (read-only).
  3. 3
    Set an expiry
    Set an expiry appropriate to your security policy.
  4. 4
    Select scopes
    Select the following scopes: repo — Required to read repository configuration, branch protection, webhooks, secrets metadata, and variables. read:org — Required if monitoring repositories in an organization.
  5. 5
    Generate and copy
    Click "Generate token" and copy the value. It starts with ghp_.
The repo scope grants read access to private repositories. ConfigTrace only reads configuration metadata — it never reads file contents, commits, or pull requests. If you prefer finer-grained control, a fine-grained PAT with read-only access to repository settings is also supported.
Each integration is scoped to one repository. To monitor multiple repositories, create one integration per repo. You can reuse the same PAT if it has access to all the repos you want to monitor.

Step 2 — Connect in ConfigTrace

  1. 1
    Open Integrations
    In the ConfigTrace sidebar, click Integrations, then click Connect on the GitHub card.
  2. 2
    Enter credentials
    Enter your PAT and the repository in owner/repo format (e.g. acme/api-service).
  3. 3
    Save integration
    Click Save integration.

Step 3 — Run your first sync

Click Sync Now. The first sync captures your branch protection rules, webhook configuration, and repo settings as a baseline.

What ConfigTrace monitors

Reads (configuration metadata)
  • Branch protection rules: required reviews, status checks, force-push restrictions, admin enforcement
  • Repository settings: visibility (public/private), default branch, merge settings
  • Webhooks: endpoint URLs, active status, subscribed events
  • Actions secrets metadata: names and creation dates (never values)
  • Actions variables: names and values
  • Deploy keys: titles, read/write access level, created date
  • GitHub Actions permissions and settings
Never reads
  • Source code files or file contents
  • Git commit history or diff content
  • Pull request content, comments, or reviews
  • Actions secret values
  • GitHub App installation tokens
  • Issue or discussion content
  • Any user data or emails

What ConfigTrace never reads

ConfigTrace tracks repository configuration drift — the settings that control how your repo operates — not commit history. Git already tracks commits.

For a full breakdown across all providers, see the Data Access & Permissions reference.