Skip to main content

GitHub Integration

The GitHub integration gives agents read access to your repositories — useful for AI Readiness audits that need to reference actual code, model configs, and documentation, and for the Sales Agent's lead enrichment signals.

Prerequisites

  • An active Ariftly account
  • Owner or admin access to the GitHub organization you want to connect (or a personal account with the relevant repositories)

Connect GitHub

  1. Go to Dashboard → Integrations → GitHub
  2. Click Install GitHub App
  3. You will be redirected to GitHub — choose your organization or personal account
  4. Select which repositories to grant access to
  5. Click Install

Ariftly installs as a GitHub App (not a personal access token), which means permissions are scoped to exactly the repositories you select and can be audited at any time from your GitHub organization settings.

Selecting repositories

You can choose:

  • All repositories — Ariftly can access all current and future repositories in the account. Use this when you want complete coverage for ongoing audits.
  • Only select repositories — you explicitly list which repositories the integration can see. Use this if you want to limit scope to AI-related repos and exclude unrelated projects.

You can change this selection at any time from GitHub → [Your Organization] → Settings → GitHub Apps → Ariftly → Configure.

What agents use GitHub for

AI Readiness Agent

The AI Readiness Agent uses GitHub access to produce evidence-grounded compliance reports rather than generic assessments:

  • Model configuration files — reads model_card.json, config.yaml, LLM pipeline configs to understand how AI is deployed
  • Inference code — analyses how models are called, whether outputs are logged, and whether human override mechanisms exist
  • Data pipeline definitions — scans ETL code for data lineage, source documentation, and access controls
  • Security patterns — detects hardcoded AI API keys, unversioned model artifacts, and unsafe prompting patterns
  • Documentation — reads README files, architecture docs, and compliance artifacts stored in version control to ground questionnaire answers

Without GitHub access, the agent can still perform gap analysis against a manually uploaded knowledge base — but with access, every claim in the compliance report is backed by a direct citation to a specific file and line in your codebase.

Sales Agent

The Sales Agent uses GitHub for lead enrichment, not for auditing your own code. When prospecting for leads, it reads public repository signals:

  • Tech stack detection — identifies frameworks, libraries, and AI dependencies from package.json, requirements.txt, go.mod, etc.
  • Engineering leadership signals — identifies top contributors as potential contacts for technical outreach
  • Open-source activity — tracks star counts, recent commits, and contributor growth as intent signals
  • Job signals — correlates GitHub activity with open job postings to detect companies actively hiring for AI-related roles

The Sales Agent only accesses public repositories for lead enrichment. It never reads private repositories of prospects.

Granting per-agent repository access

You can limit which repositories each agent can access within the same integration:

curl -X PATCH https://api.ariftly.io/v1/integrations/github/config \
  -H "Authorization: Bearer $ARIFTLY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_repo_access": {
      "ai-readiness": ["org/ml-platform", "org/data-pipeline", "org/compliance-docs"],
      "sales": ["org/open-source-lib"]
    }
  }'

This means the AI Readiness Agent can read ml-platform and data-pipeline, while the Sales Agent can only read open-source-lib. If agent_repo_access is not configured, each agent can access all repositories granted to the integration.

Required GitHub permissions

PermissionScopeWhy
ContentsReadRead files in repositories (code, docs, configs)
MetadataReadList repositories, branches, and repository metadata
Pull RequestsReadReference PR context and review history in analysis
IssuesReadCorrelate issue history with compliance findings

Ariftly does not request write permissions on any of these by default. Write access to Pull Requests (for creating remediation PRs) is a separate, optional permission that you must explicitly grant, and it is only used when you approve a specific "create PR" action via the Approvals inbox.

What Ariftly does NOT read

To be explicit about the scope:

  • Private email addresses of contributors — not accessed
  • Secrets or encrypted values.env files and encrypted secrets are never transmitted; the agent flags their existence as a compliance finding but does not read their contents
  • Repository forks outside your org — only repositories you explicitly granted are accessible
  • GitHub Actions secrets — not accessible via the Contents permission

Viewing access logs

Every repository read by an agent is logged in Dashboard → Events with the agent name, timestamp, and file path. You have a complete audit trail of what was accessed and when.

Disconnecting GitHub

To remove the integration:

  1. Go to Dashboard → Integrations → GitHub
  2. Click Disconnect

This revokes Ariftly's GitHub App installation. You can also uninstall the app directly from GitHub → Settings → Applications → Installed GitHub Apps.

Any pending tasks that require GitHub access will move to a blocked state until the integration is reconnected.

Troubleshooting

Agent cannot find my repository

  • Verify the repository is in the list of repos granted to the integration in your GitHub App settings
  • If you added the repo after installing the app, go to GitHub → Settings → Applications → Ariftly → Configure and add the new repo

Audit report shows no code evidence

  • The AI Readiness Agent indexes your repositories on first connect. This takes 1–5 minutes for large repositories. Check Dashboard → Integrations → GitHub for indexing status.
  • Ensure the relevant files (model configs, AI pipeline code) are in the selected repositories and not in a private fork or separate account

"Needs reauthorization" status

  • GitHub App tokens are long-lived but can expire if not used. Click Reconnect in the integrations panel to reauthorize.

What's next