The GitHub integration enables Engineering and Security teams to automate evidence collection for software development lifecycle (SDLC) controls. It connects Drata to your GitHub organization to continuously validate access control, code review, and change management practices for compliance.
Key Capabilities
Automated SDLC monitoring: Verifies repository access, code reviews, and change restrictions.
Evidence collection: Gathers audit-proof evidence showing adherence to secure development policies.
Prerequisites & Data Access
Must have permission to install GitHub Apps on your organization’s GitHub account.
Do not install the Drata app in a personal GitHub account.
GitHub users must have public email visibility for Drata to match accounts correctly.
Email Matching Requirements
Each GitHub user must:
Uncheck “Keep my email addresses private” under GitHub Email Settings.
Select a Public email under GitHub Profile Settings.
Drata syncs public emails nightly to match GitHub users to Drata personnel based on email and username.
Upon each nightly sync of the GitHub connection, Drata will check for and pull collaborators' public emails. Drata will use those emails and GitHub usernames to attempt email-based and fuzzy matching to Drata personnel (IdP) emails.
Step-by-Step Setup
Step 1: Connect GitHub in Drata
In Drata, navigate to Connections in the left-side menu.
Open the Available Connections tab and search for GitHub.
Click Connect to open the setup panel.
Follow the step-by-step instructions carefully, completing each before moving on.
Step 2: Verify Installation Scope
Drata recommends you set the scope of the GitHub app to allow read access to all repos (this covers current and future repos). If you need to reduce the selection of apps Drata will monitor, you can select those at connection time, or once the app has been installed in your organization.
This reduction in scope will apply to the "Formal Code Review Process" monitoring test, where Drata looks for your branch protection rules. It will not reduce the scope of collaborators Drata attempts to find, or their permissions on all repos in your organization. Collaborator permissions are evaluated in the "Only Authorized Employees Change Code" and "Production Code Changes Restricted" monitoring tests.
Go to your GitHub organization
Click on the "Settings" tab
Click on "GitHub Apps" (under "Integrations") in the left sidebar
Click the "Configure" button next to the installed Drata app
Under "Repository Access," select the radio option for "Only select repositories"
Use the "Select repositories" dropdown to select your in-scope repos, and click "Save"
The following read permission scopes
Repository permissions
Administration
Code scanning alerts
Dependabot alerts
Metadata
Organization permissions
Members
Account permissions
Email addresses
Rerun the "Formal Code Review Process" monitoring test to evaluate the new results
NOTE: This will require you to manually add future repos you want to monitor to the app's repos selection going forward.
Disconnect the Drata App
If you ever need to disconnect GitHub from Drata, you will need to do so on the Drata connections page and within GitHub under "GitHub Apps." Click "Uninstall" for the Drata app.
Monitoring tests covered
Test 6: Only Authorized Employees Access Version Control
Test 7: Only Authorized Employees Change Code
Test 8: Formal Code Review Process
Test 9: Production Code Changes Restricted
Test 87: MFA on Version Control System
Test 94: Version Control Accounts Removed Properly