The GitHub App allows Octovy to scan repositories on push and pull_request events via webhooks. This is required for the serve command.
GitHub App is optional if you only use the scan or insert commands locally.
- You want to automatically scan repositories on every push
- You want to scan pull requests to find vulnerabilities before merge
- You want organization-wide scanning without manual intervention
- You only need manual scanning via
octovy scan - You only need to insert existing Trivy results via
octovy insert
- GitHub account (personal or organization)
- Octovy
serveserver running and publicly accessible (with HTTPS) - DNS pointing to your server
- Go to GitHub Settings > Developer settings > GitHub Apps
- Click "New GitHub App"
- Fill in the app information:
App name:
- GitHub App name (e.g.,
octovy-scanner,my-org-scanner)
Homepage URL:
- Your public server URL (e.g.,
https://scanner.example.com)
Webhook URL:
https://your-domain.com/webhook/github/app- This is where GitHub sends events to Octovy
- Must be publicly accessible and use HTTPS
Webhook secret:
- Generate a random secret string (e.g.,
openssl rand -hex 32) - Octovy uses this to verify webhook authenticity
Permissions:
Set the following repository permissions:
- Contents: Read-only (to access repository code)
- Metadata: Read-only (to access repository metadata)
Subscribe to events:
Select these events:
- Pull request: Scan PRs before merge
- Push: Scan on every push to any branch
Where can this GitHub App be installed?
- Select your preference (personal account, organization, or both)
- Click "Create GitHub App"
- Scroll down to "Private keys" section
- Click "Generate a private key"
- A
.pemfile will be downloaded automatically - Keep this file secure (it's like a password)
You'll need these values to configure Octovy:
| Value | Where to find |
|---|---|
| App ID | Top of the app's settings page, or visible on GitHub Apps page |
| Private Key | The .pem file you downloaded |
| Webhook Secret | The secret you configured in Step 1 |
Configure these on your Octovy server:
# Required for GitHub App
export OCTOVY_GITHUB_APP_ID=123456
export OCTOVY_GITHUB_APP_PRIVATE_KEY=/path/to/private-key.pem
export OCTOVY_GITHUB_APP_SECRET=your-webhook-secret
# Also configure BigQuery (required)
export OCTOVY_BIGQUERY_PROJECT_ID=your-project-id
# Optional
export OCTOVY_ADDR=:8080Alternative: Set OCTOVY_GITHUB_APP_PRIVATE_KEY to the PEM content directly (useful in Docker):
export OCTOVY_GITHUB_APP_PRIVATE_KEY='-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...
...
-----END RSA PRIVATE KEY-----'- Go to the app's page (visible in GitHub Apps settings)
- Click "Install App"
- Select which account to install to (personal or organization)
- Select which repositories to grant access to:
- All repositories: Octovy can scan all repos
- Only selected repositories: Choose specific repos
- Click "Install"
Once environment variables are set and the app is installed:
octovy serve --addr :8080Or with Docker:
docker run -p 8080:8080 \
-v /path/to/private-key.pem:/key.pem \
-v $(which trivy):/trivy \
-e OCTOVY_ADDR=:8080 \
-e OCTOVY_GITHUB_APP_ID=123456 \
-e OCTOVY_GITHUB_APP_PRIVATE_KEY=/key.pem \
-e OCTOVY_GITHUB_APP_SECRET=your-webhook-secret \
-e OCTOVY_BIGQUERY_PROJECT_ID=my-project \
-e OCTOVY_TRIVY_PATH=/trivy \
ghcr.io/secmon-lab/octovy| Variable | Required | Description |
|---|---|---|
OCTOVY_GITHUB_APP_ID |
✓ | GitHub App ID |
OCTOVY_GITHUB_APP_PRIVATE_KEY |
✓ | Path to private key file or PEM content |
OCTOVY_GITHUB_APP_SECRET |
✓ | Webhook secret for verification |
Octovy responds to these GitHub webhook events:
- Triggered on every push to any branch
- Octovy scans the pushed commit
- Results stored in BigQuery
- Triggered on PR open, synchronize (new commits), and reopen
- Octovy scans the PR's head commit
- Results stored in BigQuery
- Never commit the
.pemfile to version control - Use environment variables or secret management (e.g., AWS Secrets Manager, HashiCorp Vault)
- For Docker, use Docker secrets or environment variable injection
- Rotate keys periodically
- Octovy verifies webhook requests using the secret
- GitHub includes the secret in the
X-Hub-Signature-256header - Mismatched secret = webhook rejected
- Only grant Read-only access to Contents and Metadata
- Octovy doesn't modify repositories
- Minimal permissions reduce security risk
- Verify webhook URL is publicly accessible:
curl https://your-domain.com/health - Check firewall/security groups allow HTTPS (port 443)
- Verify webhook URL in GitHub App settings is correct
- GitHub App must be installed on the repository or organization
- Check that Contents and Metadata permissions are set to Read-only
- Repository must grant access to Octovy (check app's access list)
- Verify
OCTOVY_GITHUB_APP_SECRETmatches the secret in GitHub App settings - Check for leading/trailing whitespace in environment variable
- Regenerate secret if unsure
- Verify the
.pemfile is readable by the Octovy process - Check file permissions:
chmod 600 private-key.pem - For Docker, verify path is correctly mounted
- Check Octovy server is running:
curl localhost:8080/health - Check server logs for webhook processing
- Verify GitHub App is installed on the repository
- Make a test push to trigger a scan
Use GitHub's webhook delivery logs:
- Go to GitHub App settings
- Click "Advanced"
- Scroll to "Recent Deliveries"
- View webhook events and responses
- Click "Redeliver" to test
# Health check (should return 200)
curl -i https://your-domain.com/health
# Webhook endpoint (will return 401 if accessed directly)
curl -i -X POST https://your-domain.com/webhook/github/app