Skip to main content
This guide covers setting up GitHub security scanning with Prowler. Choose a preferred interface below:
Understanding GitHub Scan ScopeProwler can scan either:
  • User Repositories: All repositories owned by or accessible to a specific GitHub user
  • Organizations: Repositories and organization-level settings
Important: Scanning user repositories does NOT include organization-level checks (MFA requirements, security policies, etc.). To scan organizations, you must explicitly configure them.

Prowler Cloud/App

Web-based interface with centralized management

Prowler CLI

Command-line interface for local or automated scans

Prowler Cloud/App

Walkthrough video onboarding a GitHub Account using GitHub App.

Prerequisites

Before adding GitHub to Prowler Cloud/App, ensure you have:
  1. GitHub Account Access
    • Personal GitHub account, OR
    • Admin access to a GitHub organization
  2. Authentication Credentials
    • Choose one method (see Authentication Guide):
      • Fine-Grained Personal Access Token (Recommended)
      • OAuth App Token
      • GitHub App Credentials (Not Recommended - limited data access)

Step 1: Access Prowler Cloud/App

  1. Navigate to Prowler Cloud or launch Prowler App
  2. Go to ConfigurationCloud Providers Cloud Providers Page
  3. Click Add Cloud Provider Add a Cloud Provider
  4. Select GitHub Select GitHub

Step 2: Configure GitHub Account

  1. Add the GitHub Account ID and an optional alias:
    • Account ID: Your GitHub username (e.g., username) or organization name (e.g., org-name)
    • Alias (optional): Friendly name for this connection (e.g., My Personal Repos or Prowler Org)
    Add GitHub Account ID
  2. Click Next

Step 3: Choose Authentication Method

Recommended: Fine-Grained Personal Access TokenFine-Grained Personal Access Tokens are strongly recommended because they provide:
  • Best data access for comprehensive security scanning
  • Granular permission control
  • Resource-specific access
GitHub Apps are not recommended — they provide the most limited access to GitHub data for security scanning purposes.
  1. Select your preferred authentication method: Select auth method
  1. Click Start Scan to begin your first security assessment

Step 5: View Results

Once the scan completes, you can:
  • View security findings in the dashboard
  • Export results in multiple formats (JSON, CSV, HTML)
  • Set up continuous scanning schedules
  • Configure alerts for critical findings

Prowler CLI

Prerequisites

Before running Prowler CLI for GitHub, ensure you have:
  1. Prowler Installed 
    # Install via pip
pip install prowler

# Or via poetry
poetry install
  2. Authentication Credentials
    • Choose one method (see Authentication Guide):
      • Fine-Grained Personal Access Token (Recommended)
      • OAuth App Token
      • GitHub App Credentials (Not Recommended)

Authentication Setup

Prowler CLI automatically detects authentication credentials using environment variables in this order:
  1. GITHUB_PERSONAL_ACCESS_TOKEN
  2. GITHUB_OAUTH_APP_TOKEN
  3. GITHUB_APP_ID and GITHUB_APP_KEY
Don’t have credentials yet? See the Authentication Guide for step-by-step instructions.

Scan Scope: Understanding What Gets Scanned

Distinguishing User Scans from Organization ScansThe scan scope depends entirely on the Prowler CLI invocation method:
CommandWhat Gets ScannedOrganization Checks Included?
prowler githubAll repositories the token has access toNo
prowler github --repository owner/repoSingle specified repositoryNo
prowler github --organization org-nameOrganization repos + org settingsYes
prowler github --organization org-name --repository owner/repoOrganization + single repositoryYes
Key Points:
  • Scanning user repositories does NOT run organization-level checks
  • To audit organization MFA, security policies, etc., the --organization flag is required
  • Members of multiple organizations should specify each one explicitly

Scanning User Repositories

Scan repositories owned by your user account: 
# Scan all repositories accessible to your token
prowler github

# Scan a specific repository
prowler github --repository username/my-repo

# Scan multiple specific repositories
prowler github --repository username/repo1 --repository username/repo2
What gets scanned:
  • Repository security settings
  • Branch protection rules
  • Secret scanning configuration
  • Dependabot settings
  • Organization-level policies (not included)

Scanning Organizations

Scan organization repositories and organization-level security settings: 
# Scan a single organization
prowler github --organization prowler-cloud

# Scan multiple organizations
prowler github --organization org1 --organization org2

# Scan organization and specific repositories within it
prowler github --organization my-org --repository my-org/critical-repo
What gets scanned:
  • All organization repositories
  • Repository security settings
  • Organization MFA requirements
  • Organization security policies
  • Member access and permissions

Scan Scoping

Scan scoping controls which repositories and organizations Prowler includes in a security assessment. By default, Prowler scans all repositories accessible to the authenticated user or organization. To limit the scan to specific repositories or organizations, use the following flags.

Scanning Specific Repositories

To restrict the scan to one or more repositories, use the --repository flag followed by the repository name(s) in owner/repo-name format: 
prowler github --repository owner/repo-name
To scan multiple repositories, specify them as space-separated arguments: 
prowler github --repository owner/repo-name-1 owner/repo-name-2

Scanning Specific Organizations

To restrict the scan to one or more organizations or user accounts, use the --organization flag: 
prowler github --organization my-organization
To scan multiple organizations, specify them as space-separated arguments: 
prowler github --organization org-1 org-2

Scanning Specific Repositories Within an Organization

To scan specific repositories within an organization, combine the --organization and --repository flags. The --organization flag qualifies unqualified repository names automatically: 
prowler github --organization my-organization --repository my-repo
This scans only my-organization/my-repo. Fully qualified repository names (owner/repo-name) are also supported alongside --organization: 
prowler github --organization my-org --repository my-repo other-owner/other-repo
In this case, my-repo is qualified as my-org/my-repo, while other-owner/other-repo is used as-is.
The --repository and --organization flags can be combined with any authentication method.

Filtering Scans

Customize your scan scope with these options: 
# Run only critical severity checks
prowler github --severity critical

# Run specific checks
prowler github --checks repository_default_branch_protection_enabled,organization_members_mfa_required

# Exclude specific checks
prowler github --excluded-checks repository_archived

# Scan with specific compliance framework
prowler github --compliance cis_1.0_github

# Output results in specific format
prowler github --output-formats json,csv,html

Example Workflows

# Scan your personal repositories for critical issues
export GITHUB_PERSONAL_ACCESS_TOKEN="ghp_xxxx"
prowler github --severity critical high

Viewing Prowler CLI Scan Results

Prowler CLI generates results in multiple formats: 
# Results are saved in ./output/ directory by default
ls output/

# View HTML report in browser
open output/prowler-output-*.html

# Parse JSON results with jq
cat output/prowler-output-*.json | jq '.findings[] | select(.Status=="FAIL")'

# Import CSV into spreadsheet
open output/prowler-output-*.csv

Next Steps

Authentication Guide

Detailed permissions and token creation

Available Checks

Browse all GitHub security checks

Compliance Frameworks

CIS, NIST, and other frameworks

Troubleshooting

Common issues and solutions

Additional Resources