Skip to main content

GitHub: Quickstart

Set up the Vanta and GitHub integration in minutes

✅ Feature availability: This integration is now available for Vanta Government customers.

Connect GitHub to Vanta so that code reviews, branch protection, and vulnerability alerts your team manages in GitHub automatically power your compliance tests with no manual uploads required.

This guide is for: GitHub Cloud (Free, Team, or Enterprise Cloud on github.com)

Time to complete: ~5 minutes

This quickstart walks you through four phases:

  1. Open the GitHub integration in Vanta and select your connection type (~1 min)

  2. Authorize Vanta in GitHub and select your organization (~2 min)

  3. Choose which repositories Vanta can access (~1 min)

  4. Confirm Dependabot is enabled in GitHub if you want vulnerability alerts (~1 min)

Before you begin

Confirm all of the following before starting:

  • You have a GitHub Organization account (personal accounts are not supported).

  • You are an Organization Owner in that GitHub org.

  • You have Vanta admin access.

  • (If reconnecting) You have uninstalled the previous Vanta GitHub App from your org (Settings > Installed GitHub Apps > Uninstall).

  • (Optional) If you want vulnerability scanning, confirm Dependabot is enabled in your GitHub org settings.

Setup guide

Follow these steps to connect the integration


Step 1: In Vanta, go to Integrations and search for GitHub in the Available tab.


Step 2: Click View details, then click Connect.

Step 3: When prompted to select your GitHub type, choose GitHub Cloud.

ℹ️ Note: You may see additional connection options depending on your GitHub plan. For standard GitHub Cloud, select GitHub Cloud.

Step 4: Select the products you want Vanta to monitor with GitHub. Toggle on the products relevant to your organization, then click Next.

Step 5: Choose your permission level:

  • Read access only — Read access is used to prove branches are protected, pull requests are well-formed, and security issues closed in a timely manner.

  • Read and write access — Write access is used for automating the tracking, assignment, and resolution of security and compliance tasks.

Step 6: Click Connect GitHub. A new browser tab will open and prompt you to sign into GitHub.

⚠️ Note: On the next screen, select your company organization — not your personal GitHub account. Installing on a personal account will cause an error and the connection will fail.

Step 7: Choose repository access:

  • All repositories (recommended) — Vanta monitors all current and future repos automatically.

  • Only selected repositories — You choose specific repos.

⚠️ Note: New repositories added to your org later won’t be monitored automatically. You must manually add them in GitHub.

Step 8: Click Install. The flow will redirect back to Vanta with GitHub showing as Connected.

Verify your connection

Confirm the connection with these steps.

  • GitHub should be listed under the Connected tab on your Vanta Integrations page.

  • In GitHub, go to your org’s Settings > Installed GitHub Apps. Confirm Vanta is listed.

  • Vanta will begin syncing your repositories, org members, merged pull requests, and Dependabot vulnerability alerts.

  • Initial sync may take several hours. This is normal; no action is needed.

(Optional) Set your production branch

By default, Vanta evaluates your repository's default branch for compliance tests. If your production branch has a different name, you can tell Vanta which branch to use.

To set a production branch:

  • Go to your GitHub organization Settings.

  • Go to Custom properties under the Repository category:

  • Click New Property.

  • For Name, enter: vanta_production_branch_name.

  • For Type, select Text.

  • (Optional) Check Require this property for all repositories and set a default value for your production branch.

  • You can also set this property per repository by clicking Set values on the Custom Properties page.

This can be set at the org level (applies to all repos) or per individual repository.

Troubleshooting

Error: The connection to GitHub failed because you installed the integration to a personal profile

  • Likely cause: You installed the Vanta GitHub App on a personal GitHub account instead of an organization.

  • Fix: Return to GitHub, uninstall the Vanta app from your personal account (Settings > Applications > Installed GitHub Apps > Vanta > Uninstall), then restart the connection in Vanta and select your company organization.

Repositories are not appearing in Vanta

  • Likely cause: You selected Only selected repositories during setup and the repos you want are not included.

  • Fix: In GitHub, go to your org settings > Installed GitHub Apps > Vanta > Repository access. Add the missing repositories, or switch to All repositories.

Tests are still failing after I fixed my branch protection rules

  • Likely cause: Vanta syncs periodically, not in real time. Initial data sync may take several hours. Exact timing depends on the size of your organization.

  • Fix: Wait and then check the test status again.

Additional resources

For troubleshooting and advanced configuration (including how branch protection tests work and how GitHub Rulesets interact with Vanta), see the full setup instructions and reference documentation in the GitHub: Integration Guide.

For issues not covered here, contact Vanta Support.