Skip to main content

Prowler App

Walkthrough video onboarding a GitHub Account using GitHub App.

Step 1: Access Prowler Cloud/App

  1. Navigate to Prowler Cloud or launch Prowler App
  2. Go to “Configuration” > “Cloud Providers” Cloud Providers Page
  3. Click “Add Cloud Provider” Add a Cloud Provider
  4. Select “GitHub” Select GitHub
  5. Add the GitHub Account ID (username or organization name) and an optional alias, then click “Next” Add GitHub Account ID

Step 2: Choose the preferred authentication method

  1. Choose the preferred authentication method: Select auth method
  2. Configure the authentication method:
Configure Personal Access TokenFor more details on how to create a Personal Access Token, see Authentication > Personal Access Token.

Prowler CLI

Authentication

If no login method is explicitly provided, Prowler will automatically attempt to authenticate using environment variables in the following order of precedence:
  1. GITHUB_PERSONAL_ACCESS_TOKEN
  2. GITHUB_OAUTH_APP_TOKEN
  3. GITHUB_APP_ID and GITHUB_APP_KEY (where the key is the content of the private key file)
Ensure the corresponding environment variables are set up before running Prowler for automatic detection when not specifying the login method.
For more details on how to set up authentication with GitHub, see Authentication > GitHub.

Personal Access Token (PAT)

Use this method by providing a personal access token directly. 
prowler github --personal-access-token pat

OAuth App Token

Authenticate using an OAuth app token. 
prowler github --oauth-app-token oauth_token

GitHub App Credentials

Use GitHub App credentials by specifying the App ID and the private key path. 
prowler github --github-app-id app_id --github-app-key-path app_key_path

Scan Scoping

Scan scoping controls which repositories and organizations Prowler includes in a security assessment. By default, Prowler scans all repositories accessible to the authenticated user or organization. To limit the scan to specific repositories or organizations, use the following flags.

Scanning Specific Repositories

To restrict the scan to one or more repositories, use the --repository flag followed by the repository name(s) in owner/repo-name format: 
prowler github --repository owner/repo-name
To scan multiple repositories, specify them as space-separated arguments: 
prowler github --repository owner/repo-name-1 owner/repo-name-2

Scanning Specific Organizations

To restrict the scan to one or more organizations or user accounts, use the --organization flag: 
prowler github --organization my-organization
To scan multiple organizations, specify them as space-separated arguments: 
prowler github --organization org-1 org-2

Scanning Specific Repositories Within an Organization

To scan specific repositories within an organization, combine the --organization and --repository flags. The --organization flag qualifies unqualified repository names automatically: 
prowler github --organization my-organization --repository my-repo
This scans only my-organization/my-repo. Fully qualified repository names (owner/repo-name) are also supported alongside --organization: 
prowler github --organization my-org --repository my-repo other-owner/other-repo
In this case, my-repo is qualified as my-org/my-repo, while other-owner/other-repo is used as-is.
The --repository and --organization flags can be combined with any authentication method.