Novo: AIBOM: uma lista de materiais em tempo real de cada agente, ferramenta e conector. Veja como
Docs / Agentes incorporados em SaaS / GitHub Copilot

GitHub Copilot

The GitHub connector discovers the Copilot coding agent across an organization's repositories, imports its activity as MITRITY audit events, and reads org-level security posture — all through a read-only GitHub App that you create and install. It never writes to your organization.

Read SaaS-Embedded Agent Governance first for the connector model; this page covers GitHub specifics.

What it discovers

  • The organization's Copilot deployment as a single governed agent.
  • Copilot coding agents per repository, detected via the copilot_coding_agent repository custom property. GitHub does not expose a dedicated "agents" API, so the connector keys off the property GitHub sets when the coding agent is enabled on a repo.

Each discovered agent arrives with state discovered under Agents → Needs review, with a link back to the repository or organization on GitHub.

Requirements

RequirementDetail
GitHub planAny org for Discover + Posture. Full Observe (org audit log) requires GitHub Enterprise Cloud — see the caveat below.
RoleYou must be an organization owner to create and install the App.
MITRITY planPro or Enterprise; Owner or Manager role.

Step 1 — Create a read-only GitHub App

  1. In GitHub, go to Organization Settings → Developer settings → GitHub Apps → New GitHub App.
  2. Name it (e.g. mitrity-governance) and set any homepage URL. Leave the webhook inactive — the connector polls, it does not receive webhooks.
  3. Grant read-only permissions only. The connector needs to read organization and repository metadata, custom properties, and — for Observe — the organization audit log. Do not grant any write permission.
  4. Restrict installation to this organization only.
  5. Create the App, then generate a private key — GitHub downloads a .pem file. This is the secret MITRITY stores (encrypted); keep it safe.
  6. Note the App ID shown on the App's settings page.

Step 2 — Install the App on your organization

  1. From the App's page, click Install App and install it on your organization (all repositories, or a selected set).
  2. After installing, the URL contains the Installation ID (.../installations/<id>). Note it.

Step 3 — Connect in MITRITY

In Settings → Platforms → Connect a platform, choose GitHub and provide:

FieldValue
Account / OrganizationYour GitHub organization login, e.g. acme-org
App private key (PEM)The contents of the .pem file from Step 1
App IDThe numeric App ID from Step 1
Installation IDThe Installation ID from Step 2

Save, then click Sync now. The connector mints a short-lived installation token from your App key at sync time (the long-lived key never leaves the encrypted store) and runs Discover → Observe → Posture.

Observe requires GitHub Enterprise Cloud

The organization audit-log API — the connector's richest Observe source for Copilot activity — is available only on GitHub Enterprise Cloud. On a non-Enterprise organization the connector still runs: it discovers agents and reads posture, and simply imports no audit events instead of erroring. If you expect Copilot activity in your MITRITY audit log and see none, confirm the org is on Enterprise Cloud.

Imported events carry source = github and are marked as observed (recorded, not gated). They flow to the audit log, Insights, and any configured SIEM destination exactly like runtime events.

Posture

The connector reads what GitHub exposes about the org's Copilot and security configuration and records findings (OK / Warning / Unknown). Where a control cannot be read directly through the App's permissions, the connector records a proxy finding from what is readable (workflow-run metadata, repository properties) and marks it Unknown rather than asserting OK — a visibility gap is never reported as a pass. See Posture & Security.

Governing a discovered agent

Once agents appear under Needs review, assign a policy to move one to governed, or suppress it. Assigning a policy sets its governance mode to Constrained (governed out-of-band); GitHub-embedded agents are not enforced in-band in this release — see read-only by design.

GitHub Copilot — Documentation | MITRITY