# Adding GitHub Repositories

HackerOne's GitHub application for our code security product is an a verified application in GitHub's official marketplace [listed as PullRequest](https://github.com/marketplace/pullrequest).

This application is compatible for GitHub Organizations using:

* [**GitHub.com (Cloud)**](http://github.com/)
* [**GitHub Enterprise Cloud**](https://docs.github.com/en/enterprise-cloud@latest/admin/overview/about-github-enterprise-cloud)

{% hint style="info" %}
Need instructions for **GitHub Enterprise Server** (on-premise)? See our [On-Premise Integration Guide](https://docs.pullrequest.com/on-premise-server).
{% endhint %}

## Dataflow Diagram

For a visualization of how HackerOne Code and our systems interact with your GitHub Organization and authorized repositories, see and download the diagram below.

<figure><img src="/files/mTIjukoZs9IxXqsQ3ewt" alt=""><figcaption><p>Dataflow diagram</p></figcaption></figure>

{% file src="/files/ezUXFWvFx06QzNFN3PJI" %}
Click to download
{% endfile %}

## Step 1: Authorize and Connect

After [signing up](https://docs.pullrequest.com/pullrequest-docs/getting-started/create-an-account), you'll be prompted to authorize and connect with a version control hosting provider. Click the **Sync with GitHub** option.

{% hint style="warning" %}
GitHub Enterprise: Users with [Enterprise Owner ](https://docs.github.com/en/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/abilities-of-roles#enterprise-owners)permissions are required to sign up by configuring a user name and password (not via the Sign in with GitHub option) before connecting projects and authenticating with GitHub.&#x20;
{% endhint %}

<figure><img src="/files/Bfi5HApC9IwOapzb4Tsr" alt=""><figcaption></figcaption></figure>

You'll then be asked to authorize your GitHub user account with PullRequest.

<figure><img src="/files/Hi0B027x8RUQPdWqOIhl" alt=""><figcaption></figcaption></figure>

## Step 2: Install the PullRequest GitHub app

After authorizing with your GitHub account, you'll be directed to a page to select which GitHub Organization you want to install PullRequest on.

{% hint style="info" %}
**NOTE**: Every GitHub user account is treated like an Organization and will be shown in this list. It's likely you'll need to connect to your company's Organization instead of your GitHub user's Organization (see below).
{% endhint %}

You can [**click here**](https://github.com/apps/pullrequest/installations/new) to access this page directly.

<figure><img src="/files/SyLl2iyL6ZzPXiFOPKkg" alt=""><figcaption><p>Be sure to select the GitHub Organization your team uses rather than your GitHub username.</p></figcaption></figure>

If a GitHub Profile or Organization already has PullRequest installed, the text **Configure** will appear on the selection.

![GitHub Organizations with a "Configure" option already have the PullRequest app installed.](/files/-MA2mikyp46hEw_UWZjU)

{% hint style="warning" %}
**Q: I don't see the Organization I'm trying to add. How do I add it?**

A:  You'll need to reach out to an Owner of your GitHub Organization with [**this link**](https://github.com/apps/pullrequest/installations/new) to complete the integration. We recommend also including the [**explanation of permissions**](https://docs.pullrequest.com/customer-documentation/cloud-integrations/adding-github-repositories#required-permissions) which describes what we need the integration permissions for and how we use them.

To determine who in your GitHub Organization has an Owner role, follow [**these steps**](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-membership-in-organizations/viewing-peoples-roles-in-an-organization).
{% endhint %}

## Step **3**: Select Repositories

You'll be asked to allow PullRequest to access **All Repositories** or **Only select repositories**.

After you've made your selection, click the **Install** button.

<figure><img src="/files/CRgqobQNFae4QaJygZfa" alt=""><figcaption></figcaption></figure>

### Required Permissions

Our integration adheres to the principle of least privilege, ensuring that it only has the access necessary to perform its intended function—providing valuable insights in pull request discussions. Here are the permissions we require and how we use them.

{% hint style="info" %}
**Required Permissions for GitHub.com and GitHub Enterprise Cloud Integration**\
[\
**Commit Statuses (Read and Write)**](https://docs.github.com/en/rest/commits/statuses?apiVersion=2022-11-28#about-commit-statuses)\
This allows our service to to mark the status of our scanning and validation operations based on relevant commits. These states include: `error`, `failure`, `pending`, or `success`. Statuses will be visible from the pull request in GitHub to let end users know a scan is in progress. When it completes, they'll see a high-level description of the outcome of the scan.<br>

[**Issues (Read and Write)**](https://docs.github.com/en/rest/issues/issues?apiVersion=2022-11-28)\
We use the Issues permission to subscribe to events related to a pull request comment and for updating comment state (e.g., mark an inline comment as "Resolved"). GitHub's REST API considers every pull request an issue, which is why we need it in addition to the Pull Requests permission.

[**Pull requests (Read and Write)**](https://docs.github.com/en/rest/pulls/pulls?apiVersion=2022-11-28)\
This permission allows our system to detect pull requests, information about them our system needs for determining workflow executions and so end-users can interact with the service from the GitHub interface.

***Our service never updates or deletes source code in your repository***. Our integration DOES NOT execute any code-modifying operations.\
\
[**Members (Read-only)**](https://docs.github.com/en/rest/teams/members?apiVersion=2022-11-28#about-team-members)\
Our system uses this permission to [get](https://docs.github.com/en/rest/teams/members?apiVersion=2022-11-28#get-team-membership-for-a-user) and [list members](https://docs.github.com/en/rest/teams/members?apiVersion=2022-11-28#list-team-members) of the GitHub Organization which can be assigned service licenses in our systems and so it can determine what teams are visible to end-users.\
\
[**Contents (Read-only)**](https://docs.github.com/en/rest/repos/contents?apiVersion=2022-11-28)\
This allows our service to get contents of a repository as needed for code scanning and validation. For example, certain files within a repository that are unchanged in the pull request code diff may still be relevant for determining reachability of a detected issue. The Contents permission allows our system to call to GitHub with a `path` parameter to reference the contents it needs.\
\
[**Metadata (Read-only)**](https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-metadata)\
The Metadata permission is required for all GitHub applications. This allows our system to list repositories, contributors, know what contributors have access to, and ensure any changes in GitHub are up-to-date in our systems.\
\
[**Email addresses (Read-only)**](https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28#user-permissions-for-email-addresses)\
When a member of your team creates a user account, our system uses this permission to apply the email address for their GitHub user to user profile in our systems. We use email communication for service events, occasional product release notes, and in case our staff need to reach out directly.
{% endhint %}

## Step 5: View Repositories

Your repositories should now appear on our [**dashboard**](https://app.pullrequest.com/dash/) page when the GitHub Organization is selected from the Organizations drop-down menu at the top-left portion of the screen.

<figure><img src="/files/era9aA1m8HMMPXGHYwbS" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
**NOTE:** This guide contains screenshots from third-party partner interfaces that may be modified without notice. If you have any issues or questions about connecting with PullRequest, please reach out to <support@pullrequest.com>.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.pullrequest.com/customer-documentation/cloud-integrations/adding-github-repositories.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.