Integrations
Open Settings → Integrations (sometimes labeled in the product around Code or Pipelines) to:
Connect GitHub or GitLab from the Code/Pipelines section, or create a Generic project when source control is not connected; set Default remediation behavior (for example open a PR/MR) and save.
- Connect GitHub or GitLab — Deep links to provider-specific setup pages where you install or configure the integration, OAuth, or GitHub App as required.
- Create Generic projects — Add manually managed projects that can receive uploaded SBOM data without connecting a source control provider.
- Adjust remediation-related options — Where the product exposes them, you can configure how findings and automation behave in connection with your repositories.
Provider-specific steps (repository selection, project tree, git ref filters) are completed on the GitHub or GitLab integration pages linked from here. Generic projects collect a name, description, and optional URL instead.
GitLab authentication revocation
When GitLab is connected with an organization API token, only organization admins can revoke that organization-wide authentication. Revoking it removes GitLab integration access for everyone in the organization until an admin connects GitLab again.
When GitLab is connected through OAuth, each user can revoke their own GitLab authentication for the organization.
The Platform shows a confirmation dialog before either type of GitLab authentication is revoked. Review the confirmation text carefully so you understand whether the action affects only your account or the full organization.
GitHub App checks
When a GitHub repository is configured with Identify, the Platform reports scan progress back to GitHub as check runs on the relevant commit:
- RunSafe SBOMs shows SBOM generation progress and links back to the Platform SBOM views.
- RunSafe License Compliance Check waits for the SBOM data it needs, then evaluates your organization's license compliance policy.
- RunSafe Vulnerability Compliance Check waits for the SBOM data it needs, then evaluates your organization's vulnerability compliance settings.
The license and vulnerability compliance checks may stay in progress while SBOMs and reports are still being generated. When they complete, their result reflects the policy settings configured in the Platform.
No Buildtime SBOMs action
Some repositories only produce runtime SBOMs or otherwise do not need buildtime SBOMs for a particular GitHub workflow. If the RunSafe SBOMs check is waiting for buildtime SBOMs that will not be produced, use the No Buildtime SBOMs action in the GitHub check run. This tells the Platform that no buildtime SBOMs are expected for that commit, so the SBOM and compliance checks can continue based on the SBOMs that were generated.
Only use this action when you know the workflow is not expected to produce buildtime SBOMs. If buildtime SBOM generation should have happened, review the workflow configuration instead.