Overview
ZeroPath connects to self-hosted GitHub Enterprise Server (GHES) instances through a GitHub App that you create on your own instance. Once connected, you can import repositories, run full scans, scan pull requests, post status checks and inline comments, open patch pull requests for validated findings, and view dependency findings on the Supply Chain dashboard. These are the same capabilities ZeroPath provides for GitHub.com. The connection is set up with GitHub’s App Manifest flow: you enter your instance’s URL in ZeroPath, review the app on your instance, and confirm its creation. ZeroPath receives the app’s credentials from your instance, stores them encrypted, and installs the app on the organizations you choose. You never copy a client secret or private key by hand.Prerequisites
- A ZeroPath organization where you can create VCS installations and repositories.
- A GitHub Enterprise Server instance that is:
- reachable from ZeroPath over HTTPS (plain HTTP is rejected), and
- resolvable through public DNS.
- Permission on the instance to create a GitHub App (via the App Manifest flow) and to install the app on the target organization. If you cannot install apps directly, your installation request is sent to an organization owner for approval.
- The ability to update your network allowlist / firewall so ZeroPath’s egress IPs can reach your instance, and so your instance can deliver webhooks back to ZeroPath. See Network and firewall.
Connect GitHub Enterprise Server
Open the GitHub Enterprise Server setup
Allow ZeroPath through your firewall
Enter your instance URL
https://github.your-company.com. The URL
must be an HTTPS origin that resolves over public DNS. ZeroPath rejects github.com and its
aliases, as well as hosts that resolve to private, loopback, or link-local addresses.Choose how ZeroPath trusts your TLS certificate
- Publicly-trusted certificate - the default. You do not need to provide anything else.
- Internal / self-signed - paste or upload your CA bundle in PEM format. ZeroPath stores it encrypted and uses it only to verify TLS for your instance. ZeroPath always verifies certificates; it never disables validation.
Create the app on your instance
zeropath-scanner GitHub App. Review the requested permissions and events (see
What the app can access), then confirm Create GitHub App.Install the app on your organization
Wait for sync
What the app can access
ZeroPath creates the app with the same permission and event set as its first-party GitHub App, so scanning behaves identically across GitHub.com and GitHub Enterprise Server. The app requests these permissions:| Permission | Access | Why |
|---|---|---|
| Metadata | Read | Baseline repository access |
| Contents | Write | Clone code; push patch branches |
| Pull requests | Write | Scan PRs, post comments, open patch PRs |
| Checks | Write | Post PR status checks |
| Issues | Write | Issue-based workflows and comments |
| Administration | Read | Enumerate repositories in an organization |
| Members | Read | Resolve organization membership |
| Merge queues | Read | Required to receive merge_group webhooks |
| Organization & repository custom properties / roles | Read | Repository classification and routing |
push, pull_request, pull_request_review,
pull_request_review_comment, pull_request_review_thread, issues, issue_comment,
merge_group, member, membership, organization, repository, team, team_add, and
custom_property_values.
Network and firewall
The connection needs traffic in both directions:- ZeroPath to your instance (outbound from ZeroPath). ZeroPath calls your instance’s REST and
GraphQL APIs (under
https://<your-host>/api/v3andhttps://<your-host>/api), clones repositories, and completes the manifest and OAuth handshakes. All of this originates from ZeroPath’s egress IPs shown in the setup dialog. Allowlist them on your instance’s firewall. - Your instance to ZeroPath (inbound to ZeroPath). Your instance delivers webhook events to ZeroPath’s public endpoint. Your instance must be able to reach ZeroPath over the public internet for PR scans and repository updates to trigger.
TLS certificates
If your instance presents a publicly-trusted certificate, no extra configuration is needed. If it uses an internal or self-signed certificate, provide the CA bundle (PEM) during setup. ZeroPath stores the bundle encrypted and trusts it only for connections to your instance. It does not alter any global trust store, and certificate verification stays enabled throughout.Repository imports
ZeroPath discovers repositories from the organizations where the app is installed. Import them the same way as other providers:- Single repository - select one repository and add it.
- Selected batch - select multiple repositories and import them together.
- Add all - import every accessible repository at once.
PR scanning
When a pull request is opened or updated on a connected repository, your instance delivers a webhook to ZeroPath, which schedules a PR scan against the changed files. Results can include:- A ZeroPath status check on the pull request.
- Inline review comments on affected diff lines.
- A PR summary comment with the scan result.
- Automatic resolution of stale comment threads when findings are fixed or triaged.
Patch pull requests
When a finding is eligible for an automatic fix, ZeroPath can open a pull request on your instance using the same patch workflow as other providers:- Generate a patch branch.
- Commit the fix with the standard ZeroPath commit-message convention.
- Open a pull request targeting the original branch.
- Add summary context and link the patch PR back to the finding in ZeroPath.
Multiple organizations and reconnecting
- Multiple organizations on one instance - the
zeropath-scannerapp is installable across organizations on your instance. Install it on each organization whose repositories you want to scan. - Reconnecting - if you start setup again for an instance ZeroPath has already registered, it skips app creation and sends you straight to the installation page. If the previous app was deleted on your instance, ZeroPath registers a fresh one.
Troubleshooting
ZeroPath rejects my instance URL
ZeroPath rejects my instance URL
github.com and its aliases are rejected, as
are hosts that resolve to private, loopback, link-local, or carrier-grade-NAT addresses. Confirm
your instance has a public DNS name and a reachable HTTPS endpoint.TLS / certificate errors during setup
TLS / certificate errors during setup
The app was created but no repositories appear
The app was created but no repositories appear
'Create GitHub App' fails or the flow times out
'Create GitHub App' fails or the flow times out
PR scans or repository updates do not trigger
PR scans or repository updates do not trigger
Statuses, comments, or patch PRs do not appear
Statuses, comments, or patch PRs do not appear
Operational notes
- Disconnecting a GHES installation stops new scans from being scheduled for that connection and removes the repositories linked through it. Repositories protected by researcher mode are retained until researcher mode is disabled.
- If you add new organizations after setup, install the app on them so ZeroPath can discover their repositories.
- GHES apps and credentials are scoped per instance and stored encrypted; connecting or disconnecting one instance does not affect any other instance or your GitHub.com connection.