GitHub Application Vulnerability Integration

  • Release version: Yokohama
  • Updated April 30, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of GitHub Application Vulnerability Integration

    The GitHub Application Vulnerability Integration enables ServiceNow customers to import Static Application Security Testing (SAST) and Software Composition Analysis (SCA) vulnerability data from GitHub repositories into the ServiceNow AI Platform®. This integration helps you consolidate and manage vulnerability alerts detected in your GitHub environment within the ServiceNow Application Vulnerability Response application, streamlining your vulnerability management process.

    Show full answer Show less

    The integration supports multiple GitHub organizations—including on-premise and Enterprise environments—and their associated repositories. Typically, organizational data is imported first using the GitHub Organizations Integration, followed by repository data with the GitHub Repos Integration. However, the execution order can vary based on your environment setup.

    Key Features

    • GitHub Organizations Integration: Imports organization records into the Discovered Organizations table. Recommended to run first when importing all enterprise organizations and repositories.
    • GitHub Repos Integration: Imports application data for repositories into the Discovered Applications table.
    • GitHub CodeScan Integration: Imports code scanning vulnerability alerts (SAST results) into relevant ServiceNow tables for vulnerability tracking.
    • GitHub Dependabot Integration: Imports dependency vulnerability alerts (SCA results) from Dependabot into ServiceNow tables.
    • GitHub Secret Scanning and Location Integrations: Import secret scanning results and their code locations to assist developers in remediation efforts.
    • SBOM Upload Support: Supports uploading Software Bill of Materials (SBOM) files generated in CI/CD pipelines via GitHub Actions to the ServiceNow AI Platform®, helping identify risky components early in development cycles.

    Practical Use and Considerations

    • Imported vulnerability data is processed as applications in Application Vulnerability Response, creating actionable vulnerabilities from GitHub alerts.
    • Integration records use a configured run-as user (default VR.System); changing this user is not recommended.
    • If planning to migrate to Unified Security Exposure Management (USEM), select compatible integration versions; otherwise, use versions below v30.x.
    • Repository metadata such as tags, topics, and custom properties are imported as key-value pairs for enhanced context and filtering.
    • Detailed field mappings and import statuses are available for monitoring and troubleshooting within your ServiceNow instance.

    Benefits for ServiceNow Customers

    • Centralize vulnerability management by integrating GitHub security alerts directly into ServiceNow workflows.
    • Gain comprehensive visibility into application security by combining SAST, SCA, and secret scanning data.
    • Improve remediation efficiency by linking vulnerability data with precise code locations and repository metadata.
    • Leverage automation through CI/CD pipelines and GitHub Actions to maintain up-to-date security posture during software development.

    The GitHub Application Vulnerability Integration imports Static application security testing (SAST) and Software Composition Analysis (SCA) data to help you view vulnerability alerts in the repositories in your GitHub environment.

    GitHub Application Vulnerability Integration

    The GitHub Application Vulnerability Integration collects scanner data and makes that data available to the ServiceNow AI Platform®. It easily integrates with the ServiceNow® Application Vulnerability Response feature of Vulnerability Response to map third-party vulnerabilities and GitHub alerts in your instance.

    The GitHub environment supports multiple organizations. These organizations, both on-premise and Enterprise, might contain various departments, such as Engineering, Quality, Documentation, and so on. Each organization, in turn, can support multiple repositories.

    Generally, you should import organizational data first with the GitHub Organizations Integration and then import data for your repositories with the GitHub Repos Integration so that it imports the repository data for each organization. Running these integrations in this order of execution is not mandatory, however, because your environment might be set up differently.

    After you import your application data with the GitHub Repos Integration, you can import vulnerability and alert data from these repositories. Imported data is processed like an application in the Application Vulnerability Response application. When scanners detect vulnerabilities and generate alerts for the repositories, vulnerabilities are created in Application Vulnerability Response.

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Available versions

    Release version Release notes

    GitHub Application Vulnerability Integration

    Note:

    If you want to use a version of this application that is compatible with Unified Security Exposure Management (USEM), see Migrating from Vulnerability Response to Unified Security Exposure Management (USEM) for more information about USEM and the Unified Security Exposure Management migration.

    If you do not intend to upgrade to Unified Security Exposure Management, install a version that is lower than v30.x of this application and for upgrades to its supported third-party integration applications.

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

    GitHub integrations

    Integration Description and ServiceNow AI Platform® tables Notes
    GitHub Organizations Integration Imports GitHub organization records from GitHub into the Discovered Organizations [sn_vul_discovered_org] table.

    If you want to run this integration using Enterprise mode to import data for all your organizations and repos in an enterprise environment, run this integration before running the other GitHub integrations, because they depend on current organizational data imported from this integration.

    If you want to import only refreshed metadata for your organizations and repos using Organization mode, you don't have to run this integration first.

    For more information about configuring the integrations, see Configure the GitHub Application Vulnerability Integration.
    GitHub Repos Integration Imports all the application data for your GitHub on-premise and Cloud (Enterprise) accounts into the Discovered Applications [sn_vul_app_release] table. The integration imports applications from the repositories you have configured for an Organization (on-premise) or from your Enterprise (Cloud) environment.
    GitHub CodeScan Integration Imports Code scanning vulnerability alerts from GitHub repositories for security vulnerabilities and coding errors into the Discovered Applications [sn_vul_app_release], Application Vulnerability Entry [sn_vul_app_vul_entry], and Application Vulnerable Item [sn_vul_app_vulnerable_item] tables. Imported data is mapped to SAST results in your instance.
    GitHub Dependabot Integration Imports Dependabot alerts for dependencies with known vulnerabilities from repositories into the Discovered Applications [sn_vul_app_release], Package [sn_vul_app_package], Application Vulnerability Entry [sn_vul_app_vul_entry], and Application Vulnerable Item [sn_vul_app_vulnerable_item] tables. Imported data is mapped to SCA results in your instance.
    GitHub Secret Scanning Imports secrets from your organization's code along with the application security testing results into the Discovered Applications [sn_vul_app_release] and Application Vulnerability Entry [sn_vul_app_vul_entry], and Application Vulnerable Item [sn_vul_app_vulnerable_item] tables. The system maps secrets to application vulnerable items (AVITs) with scan type secret and maps generic secrets to AVITs with scan type generic_secret.
    GitHub Secret Scanning Location Imports the location and line numbers for the scanned secrets in your organizations' code into the Application Vulnerable Item [sn_vul_app_vulnerable_item] table. Helps your developers with vulnerability remediation.

    For more details about source fields and mapping in your instance, see Field mapping for the GitHub Application Vulnerability Integration Integrations.

    Uploading SBOM files to the ServiceNow AI Platform® from your GitHub repositories

    Determine if SBOM files generated in your CI/CD (continuous integration and continuous delivery/deployment) pipelines have been successfully queued in your ServiceNow AI Platform® instance.

    • Protect your environments from potentially harmful components during software development cycles with GitHub Actions that you initiate from your GitHub environment.
    • Obtain any required GitHub Actions for SBOM upload in the GitHub Marketplace.

    The SBOM applications are required to upload SBOM files. See Exploring Software Bill of Materials for more information.

    Viewing imported data

    For more details about source fields and mapping in your instance, see Field mapping for the GitHub Application Vulnerability Integration Integrations.

    The Repos Integration imports tags and topics you have configured for a repository in your GitHub account from the Settings menu. Any Custom properties are located on the menu under your Repository. Values you set for the properties are imported as key-value pairs. For more information on where to view this information in your instance, see View the GitHub Application Vulnerability Integration import run status and imported repository data.