GitHub Copilot
The GitHub connector discovers the Copilot coding agent across an organization's repositories, imports its activity as MITRITY audit events, and reads org-level security posture — all through a read-only GitHub App that you create and install. It never writes to your organization.
Read SaaS-Embedded Agent Governance first for the connector model; this page covers GitHub specifics.
What it discovers
- The organization's Copilot deployment as a single governed agent.
- Copilot coding agents per repository, detected via the
copilot_coding_agentrepository custom property. GitHub does not expose a dedicated "agents" API, so the connector keys off the property GitHub sets when the coding agent is enabled on a repo.
Each discovered agent arrives with state discovered under Agents → Needs review, with a link back to the repository or organization on GitHub.
Requirements
| Requirement | Detail |
|---|---|
| GitHub plan | Any org for Discover + Posture. Full Observe (org audit log) requires GitHub Enterprise Cloud — see the caveat below. |
| Role | You must be an organization owner to create and install the App. |
| MITRITY plan | Pro or Enterprise; Owner or Manager role. |
Step 1 — Create a read-only GitHub App
- In GitHub, go to Organization Settings → Developer settings → GitHub Apps → New GitHub App.
- Name it (e.g.
mitrity-governance) and set any homepage URL. Leave the webhook inactive — the connector polls, it does not receive webhooks. - Grant read-only permissions only. The connector needs to read organization and repository metadata, custom properties, and — for Observe — the organization audit log. Do not grant any write permission.
- Restrict installation to this organization only.
- Create the App, then generate a private key — GitHub downloads a
.pemfile. This is the secret MITRITY stores (encrypted); keep it safe. - Note the App ID shown on the App's settings page.
Step 2 — Install the App on your organization
- From the App's page, click Install App and install it on your organization (all repositories, or a selected set).
- After installing, the URL contains the Installation ID (
.../installations/<id>). Note it.
Step 3 — Connect in MITRITY
In Settings → Platforms → Connect a platform, choose GitHub and provide:
| Field | Value |
|---|---|
| Account / Organization | Your GitHub organization login, e.g. acme-org |
| App private key (PEM) | The contents of the .pem file from Step 1 |
| App ID | The numeric App ID from Step 1 |
| Installation ID | The Installation ID from Step 2 |
Save, then click Sync now. The connector mints a short-lived installation token from your App key at sync time (the long-lived key never leaves the encrypted store) and runs Discover → Observe → Posture.
Observe requires GitHub Enterprise Cloud
The organization audit-log API — the connector's richest Observe source for Copilot activity — is available only on GitHub Enterprise Cloud. On a non-Enterprise organization the connector still runs: it discovers agents and reads posture, and simply imports no audit events instead of erroring. If you expect Copilot activity in your MITRITY audit log and see none, confirm the org is on Enterprise Cloud.
Imported events carry source = github and are marked as observed (recorded, not gated). They flow to the audit log, Insights, and any configured SIEM destination exactly like runtime events.
Posture
The connector reads what GitHub exposes about the org's Copilot and security configuration and records findings (OK / Warning / Unknown). Where a control cannot be read directly through the App's permissions, the connector records a proxy finding from what is readable (workflow-run metadata, repository properties) and marks it Unknown rather than asserting OK — a visibility gap is never reported as a pass. See Posture & Security.
Governing a discovered agent
Once agents appear under Needs review, assign a policy to move one to governed, or suppress it. Assigning a policy sets its governance mode to Constrained (governed out-of-band); GitHub-embedded agents are not enforced in-band in this release — see read-only by design.