Overview
The GitHub integration bridges your development workflow and your security engagements. Connect GitHub repositories to Pwnbook to:- Automatically trigger threat model reviews when pull requests are opened
- Run security scans against repository code
- Receive webhook-driven notifications about repository security events
- Import repository structure into architecture models
Setting up the GitHub App
Install the Pwnbook GitHub App
- Go to Organization Settings → Marketplace → GitHub.
- Click Install GitHub App.
- You’ll be redirected to GitHub to install the Pwnbook GitHub App.
- Select the GitHub organization or personal account where you want to install the app.
- Choose which repositories to grant access to (specific repositories or all repositories).
- Click Install.
Connect repositories to engagements
After installing the app, connect specific repositories to your Pwnbook engagements:
- Open an engagement.
- Go to Settings → Integrations → GitHub.
- Click Connect Repository.
- Select a repository from the list (shows all repos the app has access to).
- Click Connect.
Configure webhook events
Choose which GitHub events trigger actions in Pwnbook:
- In the GitHub integration settings, click Configure Events.
- Toggle the events you want to handle (see Webhook events below).
- Click Save.
PR threat modeling
When a pull request is opened against a connected repository, Pwnbook can automatically analyze the changes and suggest threat model updates.How it works
- A developer opens a pull request.
- Pwnbook receives the webhook event and analyzes the diff.
- If security-relevant changes are detected (authentication, authorization, data handling, cryptography, external service calls, etc.), Pwnbook identifies applicable threats.
- Suggested threats are added to the threat model linked to the connected engagement.
- You receive a notification to review the suggestions.
- Optionally, Pwnbook posts a comment on the pull request with its findings.
Enabling PR threat modeling
- Open the engagement linked to the repository.
- Go to Threat Models and create or open a threat model.
- In the threat model settings, enable GitHub PR Integration.
- Select the connected repository.
- Save.
PR comments
If PR comments are enabled, Pwnbook will post a security review comment on each PR it analyzes. The comment includes:- A summary of detected security-relevant changes
- Applicable threat categories
- Links to the relevant threat model in Pwnbook
- Recommended actions
PR comments appear from the GitHub account associated with the Pwnbook GitHub App installation. The Pwnbook GitHub App needs write access to Pull Request comments to post reviews.
Repository scanning
Repository scanning analyzes connected repositories for security issues in the codebase. To run a repository scan:- Go to Organization Settings → Integrations → GitHub.
- Select a connected repository.
- Click Run Scan.
- Choose the scan type (full scan or incremental since last scan).
- Click Start.
Webhook events
Pwnbook can respond to the following GitHub webhook events:| Event | Pwnbook action |
|---|---|
pull_request.opened | Trigger PR threat model analysis |
pull_request.synchronize | Re-analyze updated PR diffs |
pull_request.closed | Mark PR threat model review as resolved |
push | Trigger incremental repository scan on branch push |
repository.created | Notify connected engagement of new repository |
security_advisory | Import GitHub security advisory into engagement findings |
Disconnecting a repository
To remove a repository connection:- Open the engagement.
- Go to Settings → Integrations → GitHub.
- Click Disconnect next to the repository.
Uninstalling the GitHub App
To completely remove the Pwnbook GitHub App from your GitHub account or organization:- Go to GitHub → Settings → Applications → Installed GitHub Apps.
- Find Pwnbook and click Configure.
- Click Uninstall.