Skip to main content

Overview

ZeroPath connects to self-hosted GitHub Enterprise Server (GHES) instances through a GitHub App that you create on your own instance. Once connected, you can import repositories, run full scans, scan pull requests, post status checks and inline comments, open patch pull requests for validated findings, and view dependency findings on the Supply Chain dashboard. These are the same capabilities ZeroPath provides for GitHub.com. The connection is set up with GitHub’s App Manifest flow: you enter your instance’s URL in ZeroPath, review the app on your instance, and confirm its creation. ZeroPath receives the app’s credentials from your instance, stores them encrypted, and installs the app on the organizations you choose. You never copy a client secret or private key by hand.
GHES apps are isolated per instance. Each instance you connect gets its own app registration and its own encrypted credentials, so connecting one instance never affects another, and it never touches your GitHub.com connection.

Prerequisites

  • A ZeroPath organization where you can create VCS installations and repositories.
  • A GitHub Enterprise Server instance that is:
    • reachable from ZeroPath over HTTPS (plain HTTP is rejected), and
    • resolvable through public DNS.
  • Permission on the instance to create a GitHub App (via the App Manifest flow) and to install the app on the target organization. If you cannot install apps directly, your installation request is sent to an organization owner for approval.
  • The ability to update your network allowlist / firewall so ZeroPath’s egress IPs can reach your instance, and so your instance can deliver webhooks back to ZeroPath. See Network and firewall.

Connect GitHub Enterprise Server

1

Open the GitHub Enterprise Server setup

In ZeroPath, go to Add Repositories, select the GitHub Enterprise Server tab, and open the setup dialog.
2

Allow ZeroPath through your firewall

The setup dialog lists ZeroPath’s egress source IPs. Add them to your network allowlist so ZeroPath can reach your instance’s REST/GraphQL API, clone repositories, and so your instance can deliver webhooks to ZeroPath.
If the egress IP list is not shown in your environment, contact ZeroPath support for the current source IPs before continuing.
3

Enter your instance URL

Enter your GitHub Enterprise Server URL, for example https://github.your-company.com. The URL must be an HTTPS origin that resolves over public DNS. ZeroPath rejects github.com and its aliases, as well as hosts that resolve to private, loopback, or link-local addresses.
4

Choose how ZeroPath trusts your TLS certificate

  • Publicly-trusted certificate - the default. You do not need to provide anything else.
  • Internal / self-signed - paste or upload your CA bundle in PEM format. ZeroPath stores it encrypted and uses it only to verify TLS for your instance. ZeroPath always verifies certificates; it never disables validation.
5

Create the app on your instance

Click Create app on your GitHub Enterprise. ZeroPath sends you to your instance to create the zeropath-scanner GitHub App. Review the requested permissions and events (see What the app can access), then confirm Create GitHub App.
GitHub’s manifest handshake is valid for one hour and can be used once. If you wait too long or navigate away, restart the flow from the setup dialog.
6

Install the app on your organization

After the app is created, ZeroPath sends you to your instance’s app installation page. Select the organization whose repositories you want to scan and approve the installation.
If you do not have permission to install the app, your request is sent to an organization owner for approval. Repositories appear once the owner approves it.
7

Wait for sync

You are redirected back to ZeroPath, and your GHES repositories begin syncing. They appear under Accessible repositories once ready.
8

Add repositories

Select which repositories to add to ZeroPath, or click Add All.

What the app can access

ZeroPath creates the app with the same permission and event set as its first-party GitHub App, so scanning behaves identically across GitHub.com and GitHub Enterprise Server. The app requests these permissions:
PermissionAccessWhy
MetadataReadBaseline repository access
ContentsWriteClone code; push patch branches
Pull requestsWriteScan PRs, post comments, open patch PRs
ChecksWritePost PR status checks
IssuesWriteIssue-based workflows and comments
AdministrationReadEnumerate repositories in an organization
MembersReadResolve organization membership
Merge queuesReadRequired to receive merge_group webhooks
Organization & repository custom properties / rolesReadRepository classification and routing
The app subscribes to these webhook events: push, pull_request, pull_request_review, pull_request_review_comment, pull_request_review_thread, issues, issue_comment, merge_group, member, membership, organization, repository, team, team_add, and custom_property_values.

Network and firewall

The connection needs traffic in both directions:
  • ZeroPath to your instance (outbound from ZeroPath). ZeroPath calls your instance’s REST and GraphQL APIs (under https://<your-host>/api/v3 and https://<your-host>/api), clones repositories, and completes the manifest and OAuth handshakes. All of this originates from ZeroPath’s egress IPs shown in the setup dialog. Allowlist them on your instance’s firewall.
  • Your instance to ZeroPath (inbound to ZeroPath). Your instance delivers webhook events to ZeroPath’s public endpoint. Your instance must be able to reach ZeroPath over the public internet for PR scans and repository updates to trigger.
ZeroPath must reach your instance over HTTPS at a publicly-resolvable DNS name. Instances that are only reachable on a private network, or whose hostname resolves to a private or loopback address, cannot be connected. This is enforced as an anti-SSRF safeguard.

TLS certificates

If your instance presents a publicly-trusted certificate, no extra configuration is needed. If it uses an internal or self-signed certificate, provide the CA bundle (PEM) during setup. ZeroPath stores the bundle encrypted and trusts it only for connections to your instance. It does not alter any global trust store, and certificate verification stays enabled throughout.

Repository imports

ZeroPath discovers repositories from the organizations where the app is installed. Import them the same way as other providers:
  • Single repository - select one repository and add it.
  • Selected batch - select multiple repositories and import them together.
  • Add all - import every accessible repository at once.
Imported repositories receive the same default scanner settings, tags, repository limits, audit events, and repository-added notifications as other supported VCS providers.

PR scanning

When a pull request is opened or updated on a connected repository, your instance delivers a webhook to ZeroPath, which schedules a PR scan against the changed files. Results can include:
  • A ZeroPath status check on the pull request.
  • Inline review comments on affected diff lines.
  • A PR summary comment with the scan result.
  • Automatic resolution of stale comment threads when findings are fixed or triaged.
Bot commands work on GHES pull request comments the same way they do on GitHub.com.

Patch pull requests

When a finding is eligible for an automatic fix, ZeroPath can open a pull request on your instance using the same patch workflow as other providers:
  • Generate a patch branch.
  • Commit the fix with the standard ZeroPath commit-message convention.
  • Open a pull request targeting the original branch.
  • Add summary context and link the patch PR back to the finding in ZeroPath.

Multiple organizations and reconnecting

  • Multiple organizations on one instance - the zeropath-scanner app is installable across organizations on your instance. Install it on each organization whose repositories you want to scan.
  • Reconnecting - if you start setup again for an instance ZeroPath has already registered, it skips app creation and sends you straight to the installation page. If the previous app was deleted on your instance, ZeroPath registers a fresh one.

Troubleshooting

The URL must be HTTPS and resolve over public DNS. github.com and its aliases are rejected, as are hosts that resolve to private, loopback, link-local, or carrier-grade-NAT addresses. Confirm your instance has a public DNS name and a reachable HTTPS endpoint.
If your instance uses an internal or self-signed certificate, choose Internal / self-signed and provide the full CA chain in PEM format. A partial chain (missing intermediates) is the most common cause of verification failures.
The app must be installed on an organization, not just created. Finish the installation step and select the target organization. If you lack install permission, an organization owner must approve the pending request before repositories sync.
GitHub’s manifest handshake expires one hour after it starts and is single-use. Restart setup from the GitHub Enterprise Server tab to get a fresh handshake.
Webhook events are delivered from your instance to ZeroPath’s public endpoint. Confirm your instance can reach the public internet and that no egress firewall is blocking webhook delivery. Also confirm PR scanning is enabled in ZeroPath repository settings.
These require the app’s write permissions (checks, pull requests, contents) to remain granted on the target organization. Confirm the installation still holds those permissions, and that branch protection rules on your instance are not blocking automated branch updates.

Operational notes

  • Disconnecting a GHES installation stops new scans from being scheduled for that connection and removes the repositories linked through it. Repositories protected by researcher mode are retained until researcher mode is disabled.
  • If you add new organizations after setup, install the app on them so ZeroPath can discover their repositories.
  • GHES apps and credentials are scoped per instance and stored encrypted; connecting or disconnecting one instance does not affect any other instance or your GitHub.com connection.