> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Deploy Endor Labs GitHub App
> Learn how to continuously monitor your environment with the Endor Labs GitHub App.
Endor Labs provides a GitHub App that continuously monitors users' projects for security and operational risk. You can use the GitHub App to selectively scan your repositories for SCA, secrets, RSPM, or GitHub Actions. GitHub App scans also establish baselines that are subsequently used during CI scans.
The Endor Labs GitHub App scans your repositories every 24 hours and reports new findings or changes to your code's release versions. It also performs RSPM scans weekly on Sundays to manage your repository's posture. See [Scan with GitHub App](/setup-deployment/scm-integrations/github-app-pro/scan-with-githubapp) for more information. You can also manually trigger scans for your repositories. See [Re-scan projects](/setup-deployment/scm-integrations/github-app-pro/re-scan-projects) for more information. After you install the GitHub App, you can make further changes to the settings. See [Manage GitHub App](/setup-deployment/scm-integrations/github-app-pro/github-app/manage-github-app) for more information. You may need to review the technical limitations of the GitHub App so that you can use the GitHub App to its full potential. See [Technical limitations of the Endor Labs GitHub App](/setup-deployment/scm-integrations/github-app-pro/technical-limitations) for more information.
If you want to use PR remediations as part of your monitoring scan or need to export your findings to GitHub Advanced Security, you need to use [GitHub App (Pro)](/setup-deployment/scm-integrations/github-app-pro).
If you are using GitHub Enterprise Server, you can use the [GitHub Enterprise Server App](/setup-deployment/scm-integrations/github-app-pro/github-enterprise-app) to continuously monitor your environment.
You cannot have both GitHub App and GitHub App (Pro) simultaneously in your environment. If you are currently using the standard GitHub App, you can migrate to GitHub App (Pro). When migrating from one app to the other, ensure you select the same set of repositories as before to preserve your currently scanned projects and findings after the migration.
## Default branch detection
When Endor Labs scans a repository for the first time, it detects the default branch of the repository. The findings that are created in the scan are associated with the default branch.
### Changing the default branch
When you change the default branch in your source control system (for example, from `main` to `dev`):
* Endor Labs automatically detects the new default branch and sets that as the default reference
* The previous default branch becomes a reference branch
* Scans continue on the new default branch and the reference branch
The findings associated with the previous default branch are no longer associated with the default context reference. You can view them in the reference context.
### Renaming the default branch
When you rename the default branch in your source control system:
* Endor Labs automatically switches to the renamed branch
* Scans continue without disruption
### Adding repository versions
When you add a new repository version (for example, a `dev` branch), both the default branch and the new version are scanned by the Endor Labs App.
### Control default branch detection
You can control the default branch detection by setting the `ENDOR_SCAN_TRACK_DEFAULT_BRANCH` environment variable in a scan profile. You need to configure the project to use the scan profile. See [Configure scan profiles](/scan/scan-profiles) for more information.
By default, the environment variable is set to `true`. When set to `true`, the default branch detection is enabled, and the first branch you scan is automatically considered as the default branch.
## Prerequisites for GitHub App
Before installing and scanning projects with Endor Labs GitHub App, make sure you have:
* A GitHub cloud account and organization. If you don't have one, create one at [GitHub](https://www.github.com).
* Administrative permissions to your GitHub organization. Installing the Endor Labs GitHub App in your organization requires approval or permissions from your GitHub organizational administrator. If you don't have the permissions, use the command line utility, `endorctl`, while you wait for the approval.
* Endor Labs GitHub App requires:
* Read permissions to Dependabot alerts, actions, administration, code, commit statuses, issues, metadata, packages, repository hooks, and security events.
* Write permissions to checks and pull requests to check the pull requests automatically and surface policy violations to developers as pull request comments.
* Subscribe to check run, check suite, and pull request events.
## Install the GitHub App
To automatically scan repositories using the GitHub App:
1. Select **Projects** from the left sidebar.
2. Click **Add Project**.
3. Under **Namespace**, select the Endor Labs namespace for this installation.
We recommend you use a [child namespace](/platform-administration/namespaces) for better organization of your projects.
4. From **GitHub**, choose **GitHub Cloud App**.
5. Click **Install GitHub App**.
You will be redirected to GitHub to install the GitHub App.
6. Click **Install**.
7. Select a user to authorize the app.
8. Select the organization in which you want to install the app.
9. Select whether to install and authorize Endor Labs on all your repositories or select the specific repositories that you wish to scan.
10. Review the permissions required for Endor Labs and click **Install and Authorize**.
If the button to install says **Install and Request** instead of **Install and Authorize**, you don't have permission to install the GitHub App. Use the [endorctl command line interface](/introduction/getting-started#quick-start-with-endorctl) or select **Install and Request** to notify your organizational administrator of your request to install. If you select **Install and Request** your installation will not be active unless your organizational administrator approves the request to install GitHub App.
11. Based on your license, select and enable the scanners.
* **SCA**: Perform software composition analysis and discover AI models used in your repository.
* **RSPM**: Scan the repository for misconfigurations. RSPM scans run every week on Sundays.
* **Secret**: Scan the repository for exposed secrets.
* **GitHub Actions**: Scan the repository and identify all the GitHub Actions workflows used in the repository.
* **SAST**: Scan your source code for weakness and generate SAST findings.
12. Optionally, you can continue to [Configure GitHub App PR scans](#configure-pr-scans-during-github-app-installation) to scan your pull requests. You can also enable PR scans later by [editing the GitHub App integration](#configure-pr-scans-for-existing-github-app-integrations).
13. Select **Include Archived Repositories** to scan your archived repositories. By default, the GitHub archived repositories aren't scanned.
14. Click **Start Scanning Repositories**.
### Configure PR scans during GitHub App installation
After you complete the initial [installation of the GitHub App](#install-the-github-app) in Endor Labs, you can configure PR scans. At this point, the GitHub App will be operational.
You can also choose to apply PR scans to specific projects rather than all the projects in the organization through a scan profile. See [Scan profiles for PR scans](/scan/pr-scans#scan-profiles-for-pr-scans) for more information.
1. Select **Pull Request Settings** and toggle on **Enable Pull Request scans** to enable automatic scanning of PRs submitted by users.
2. Optionally, toggle on **Post comments on Pull Requests** to allow Endor Labs to comment on PRs for policy violations.
When you enable PR comments, Endor Labs will post a comment on the pull request if any issues are detected during the PR scan. You need to set up PR comments in Endor Labs to receive the comments. See [PR comments](/scan/pr-scans/pr-comments) for more information.
3. By default, PR scans skip reachability analysis for faster results. Under **Advanced Options**, toggle on **Enable Full scan with reachability** when you want reachability analysis and call graph generation for supported languages.
4. Select **Save PR Settings** to save the configuration.
### Configure PR scans for existing GitHub App integrations
You can configure PR scans for an existing GitHub App integration, or enable them after installation, from the integration settings.
1. Select **User menu** > **Integrations** from the left sidebar.
2. Click **Manage** next to **GitHub** under **Source Control Managers**.
3. Click the vertical three dots next to the GitHub App integration that you want to update.
4. Select **Edit Integration**.
5. Select **Pull Request Settings**.
6. Toggle on **Enable Pull Request Scans** to enable PR scans.
7. Optionally, toggle on **Post comments on Pull Requests** to allow Endor Labs to comment on PRs for policy violations.
8. Optionally toggle on **Enable Full scan with reachability** when you want reachability analysis and call graph generation for supported languages.
9. Click **Save PR Settings** to save the changes. The changes are applied from the next scanning cycle.
Click **Rescan Org** after editing the integration to apply changes immediately instead of waiting for the next scheduled scan.
## Set up package repositories
You can improve your experience with the GitHub App by setting up package repositories. This will help you create a complete bill of materials and perform static analysis. Without setting package repositories, you may not be able to get an accurate bill of materials. See [Set up package manager integration](/integrations/package-managers) for more information.