GitHub Application Vulnerability Integration

  • Release version: Xanadu
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of GitHub Application Vulnerability Integration

    The GitHub Application Vulnerability Integration enables ServiceNow customers to import Static Application Security Testing (SAST) and Software Composition Analysis (SCA) data from GitHub repositories. This integration helps you view and manage vulnerability alerts directly within your ServiceNow instance, enhancing your ability to monitor and remediate security issues across your GitHub environment.

    Show full answer Show less

    The integration supports multiple GitHub organizations (on-premise and Enterprise) and their repositories. Once application data is imported using the GitHub Repos Integration, vulnerability and alert data from repositories can be imported and processed as applications in the Application Vulnerability Response application.

    Key Features

    • GitHub Repos Integration: Imports all application data from configured GitHub organizations and repositories. This is foundational and must be run before other GitHub integrations.
    • GitHub CodeScan Integration: Retrieves code scanning alerts for security vulnerabilities and coding errors, mapping results to SAST data in ServiceNow.
    • GitHub Dependabot Integration: Imports Dependabot alerts for vulnerable dependencies, mapping them to SCA results.
    • GitHub Secret Scanning: Scans for secrets in code, mapping findings to SCA results with specific scan types for secrets.
    • GitHub Secret Scanning Location: Provides detailed locations and line numbers of secrets in code to assist remediation efforts.
    • SBOM Uploads: Supports uploading Software Bill of Materials (SBOM) files from GitHub CI/CD pipelines to the ServiceNow AI Platform®, helping protect development environments by identifying potentially harmful components.
    • Run-as User Configuration: Each integration record uses a configured run-as user (default VR.System), which should not be changed to ensure proper operation.

    Viewing Imported Data

    Imported data is accessible within the ServiceNow instance across various tables, allowing you to analyze and act on vulnerability insights:

    • Discovered Applications [snvulapprelease]: Shows application data imported from GitHub Repos Integration.
    • Application Vulnerability Scan Summaries [snvulappvulscansummary]: Displays scan summaries from various GitHub integrations.
    • Application Vulnerable Items [snvulappvulnerableitem]: Lists individual vulnerabilities identified.
    • Packages [snvulapppackage]: Contains dependency package information from Dependabot integration.
    • Application Vulnerability Entries [snvulappvulentry]: Stores code scanning vulnerability entries from the GitHub CodeScan integration.

    Custom repository properties and tags configured in GitHub are imported as key-value pairs and can be viewed within the Discovered Applications table.

    Practical Benefits

    This integration streamlines the import and management of GitHub security alerts within ServiceNow’s Application Vulnerability Response feature, enabling you to:

    • Consolidate vulnerability data from multiple GitHub organizations and repositories.
    • Correlate third-party scanner data with your vulnerability response workflows.
    • Gain detailed insights into code vulnerabilities, dependency risks, and secrets exposure.
    • Enhance your remediation efforts with precise vulnerability locations and metadata.
    • Leverage SBOM uploads to proactively protect software development lifecycles.

    The GitHub Application Vulnerability Integration imports Static application security testing (SAST) and Software Composition Analysis (SCA) data to help you view vulnerability alerts in the repositories in your GitHub environment.

    GitHub Application Vulnerability Integration

    The GitHub Application Vulnerability Integration collects scanner data and makes that data available to the ServiceNow AI Platform®. It easily integrates with the ServiceNow® Application Vulnerability Response feature of Vulnerability Response to map third-party vulnerabilities and GitHub alerts in your instance.

    The GitHub environment supports multiple organizations. These organizations, both on-premise and Enterprise, might contain various departments, such as Engineering, Quality, Documentation, and so on. Each organization, in turn, can support multiple repositories. After you import your application data with the GitHub Repos Integration, you can import vulnerability and alert data from these repositories. Imported data is processed like an application in the Application Vulnerability Response application. When scanners detect vulnerabilities and generate alerts for the repositories, vulnerabilities are created in Application Vulnerability Response.

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Available versions

    Release version Release notes

    GitHub Application Vulnerability Integration v1.2, v1.1, 1.0

    		 Application Vulnerability Response release notes

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

    GitHub integrations

    Integration Description
    GitHub Repos Integration Starting with v1.1, import all the application data for your GitHub on-premise and Cloud (Enterprise) accounts. The integration imports applications from the Repositories you have configured for an Organization (on-premise) or from your Enterprise (Cloud) environment.

    Run this integration before running the other GitHub integrations, because they depend on the current application data imported from the Repos Integration.
    GitHub CodeScan Integration Retrieves Code scanning vulnerability alerts from GitHub repositories for security vulnerabilities and coding errors. Imported data is mapped to SAST results in your instance.
    GitHub Dependabot Integration Retrieves Dependabot alerts for dependencies with known vulnerabilities from repositories. Imported data is mapped to SCA results in your instance.
    GitHub Secret Scanning Retrieves secrets from your organizations code along with the application security testing results. The data is mapped to SCA results in your instance.

    The system maps secrets to AVIT with scan type Secret and maps generic secrets to AVIT with scan type Generic Secret.
    GitHub Secret Scanning Location Retrieves the location and line numbers for the scanned secrets in your organizations code to help your developers remediate.

    Uploading SBOM files to the ServiceNow AI Platform® from your GitHub repositories

    Determine if SBOM files generated in your CI/CD (continuous integration and continuous delivery/deployment) pipelines have been successfully queued in your ServiceNow AI Platform® instance.

    • Protect your environments from potentially harmful components during software development cycles with GitHub Actions that you initiate from your GitHub environment.
    • Obtain any required GitHub Actions for SBOM upload in the GitHub Marketplace.

    The SBOM applications are required to upload SBOM files. See Exploring Software Bill of Materials for more information.

    Viewing imported data

    Imported application data from the GitHub Repos Integration is displayed on the Discovered Applications [sn_vul_app_release] table. Run this integration first.

    The Repos Integration imports tags and topics you have configured for a repository in your GitHub account from the Settings menu. Any Custom properties are located on the menu under your Repository. Values you set for the properties are imported as key-value pairs. For more information on where to view this information in your instance, see View the GitHub Application Vulnerability Integration import run status and imported repository data.

    Imported data (findings) from the GitHub Dependabot Integration is displayed on the following tables.

    • Discovered Applications [sn_vul_app_release].
    • Application Vulnerability Scan Summaries [sn_vul_app_vul_scan_summary].
    • Application Vulnerable Items [sn_vul_app_vulnerable_item].
    • Packages [sn_vul_app_package].

    Imported data from the GitHub CodeScan Integration is displayed on the following tables.

    • Discovered Applications [sn_vul_app_release].
    • Application Vulnerability Scan Summaries [sn_vul_app_vul_scan_summary].
    • Application Vulnerability Entries [sn_vul_app_vul_entry].
    • Application Vulnerable Items [sn_vul_app_vulnerable_item].