Skip to main content

Overview

Backline’s GitHub integration enables secure, automated pull requests directly in your repositories, streamlining vulnerability remediation through our GitHub App.

What You Can Do

With the GitHub integration, Backline can:
  • Access your repositories across multiple organizations
  • Analyze code dependencies and packages
  • Create pull requests with automated security fixes
  • Track remediation status across your GitHub projects

Prerequisites

Before connecting GitHub, ensure you have:
  • A GitHub account with appropriate permissions
  • Admin access to the repositories you want to connect
  • Organization owner rights (if connecting organization repositories)

Connecting GitHub

1

Navigate to Integrations

In Backline, go to the Integration Hub from the main menu.
2

Select GitHub

Find and click on the GitHub integration card.
3

Install Backline App

Click Connect to be redirected to GitHub to install the Backline app.
4

Choose Organization

On GitHub, select the target organization where you want to install the Backline app.
5

Select Repositories

Choose All repositories or select specific repositories you want to link to Backline.
6

Complete Installation

Complete the installation process. You’ll be automatically redirected back to Backline with GitHub connected.

After Connection

Once connected, Backline will:
  1. Index your repositories
  2. Generate remediation plans for vulnerabilities from those repositories
  3. Create pull requests for automated fixes

Configuration

The GitHub integration includes additional configuration options accessible from the Configuration tab in the integration modal.

Dependabot Scan

Backline can ingest vulnerability alerts from GitHub Dependabot, allowing you to centralize SCA (Software Composition Analysis) vulnerabilities alongside findings from other security scanners.
1

Open GitHub Configuration

In the Integration Hub, click Configure on the GitHub integration card and navigate to the Configuration tab.
2

Enable Dependabot Scan

Check the Enable Dependabot Scan checkbox to activate Dependabot alert ingestion.
3

Save Configuration

The setting is saved automatically. Backline will begin scanning for Dependabot alerts.
Once enabled, Backline will:
  • Scan all repositories configured for the Backline GitHub App that have Dependabot Alerts activated
  • Import SCA vulnerabilities detected by Dependabot into Backline
  • Track and deduplicate vulnerabilities across your repositories
  • Enable remediation workflows for imported Dependabot findings
Dependabot Alerts must be enabled in your GitHub repository settings for Backline to ingest them. See the Dependabot integration page for more details.

Managing the Integration

Adding Multiple Organizations

You can connect multiple GitHub organizations to Backline:
1

Open Integration Details

Go to the GitHub integration card in the Integration Hub and click Configure to open the integration details.
2

Add Connection

At the bottom of the integration details, click the Add Connection button.
3

Install for New Organization

You’ll be taken to GitHub to add a new organization. Follow the same installation process to connect another organization.
All connected organizations will be displayed in the integration details page.

Testing Connections

To verify that a connection is still valid:
  1. Open the integration details by clicking Configure on the GitHub integration card
  2. Find the organization card you want to test
  3. Click the three dots menu on the organization card
  4. Select Test Connection to check if the connection is valid

Disconnecting

To disconnect a GitHub organization:
1

Open Integration Menu

In the Integration Hub, click the three dots menu on the GitHub integration card.
2

Select Disconnect

Click the Disconnect option from the menu.
3

Uninstall on GitHub

You’ll be taken to GitHub where you can uninstall the Backline application.
4

Confirm Disconnection

Once you return to Backline, refresh the page to see that the connection to the GitHub organization was disconnected.
Disconnecting will stop all automated remediation activities and prevent new vulnerability scanning for that organization.