Git Platform Integrations
Git integrations connect your GitHub or GitLab repositories to Intentra, enriching scan data with PR links, review status, and compliance evidence. This lets you trace AI-assisted code changes back to their pull requests and verify that proper review processes were followed.
Integrations are available on Enterprise plans.
What Integrations Do
When a repository is linked, Intentra matches scans to repositories using a privacy-preserving hash of the git remote URL. For matched scans, Intentra enriches the scan detail with:
- PR link — direct link to the pull request associated with the branch
- Review status — whether the PR has been reviewed and approved
- Repo visibility — public, private, or internal
Intentra does not store raw source code. When Code Graph is enabled, source files are accessed for AST parsing but only structural metadata (function names, file paths, relationships) is persisted. Repository metadata and pull request status are read via the integration.
GitHub
GitHub App (Recommended)
The GitHub App is the recommended way to connect GitHub. It provides:
- Organization-scoped access — installed at the org level, not tied to individual accounts
- Isolated API rate limits — 5,000 requests/hour per installation, separate from personal rate limits
- Survives team changes — access is not lost when the person who set it up leaves
Required Permissions
| Permission | Access | Why |
|---|---|---|
| Metadata | Read-only | List repositories and basic repo info |
| Pull requests | Read-only | Match branches to PRs and read review status |
| Contents | Read-only | Enables diff statistics (additions, deletions, files changed) for merged PRs |
Setup
- Go to Settings > Integrations and click Connect with GitHub App
- You will be redirected to GitHub to install the Intentra app on your organization
- Select which repositories to grant access to (or all repositories)
- Click Install — you will be redirected back to Intentra automatically
Fine-Grained Personal Access Token (PAT)
Use a PAT when GitHub Apps cannot be installed (e.g., policy restrictions).
Required Permissions
| Permission | Access | Why |
|---|---|---|
| Metadata | Read-only | List repositories and basic repo info |
| Pull requests | Read-only | Match branches to PRs and read review status |
| Contents | Read-only | Enables diff statistics (additions, deletions, files changed) for merged PRs |
Setup
- Go to GitHub Settings > Developer settings > Fine-grained tokens
- Click Generate new token
- Set a descriptive name (e.g., "Intentra integration")
- Select your organization under Resource owner
- Under Repository access, choose the repositories to grant access to
- Under Permissions > Repository permissions, set:
- Metadata: Read-only
- Pull requests: Read-only
- Contents: Read-only
- Click Generate token and copy it
- In Intentra, go to Settings > Integrations, click Connect with Token, and paste the token
GitLab
Access Token (Personal, Group, or Project)
Access tokens work for both GitLab.com (SaaS) and self-hosted GitLab instances.
Required Scope
| Scope | Why |
|---|---|
| read_api | List projects, read merge request metadata |
Setup
- In GitLab, go to Settings > Access Tokens (User, Group, or Project level)
- Create a token with the
read_apiscope - In Intentra, go to Settings > Integrations, click Connect with Token on the GitLab card
- For self-hosted GitLab, enter your instance URL first (e.g.,
https://gitlab.example.com) - Paste the token and click Connect
OAuth 2.0
OAuth is available for GitLab.com. It provides automatic token refresh so credentials don't expire.
Required Scope
| Scope | Why |
|---|---|
| read_api | List projects, read merge request metadata |
Self-Hosted GitLab
For self-hosted instances:
- HTTPS only — HTTP connections are not supported
- Ports 443 or 8443 — other ports are blocked for security
- Public DNS required — the instance must be reachable from Intentra's servers (no private IPs or localhost)
Linking Repositories
After connecting a platform, click Manage Repos to select which repositories to link. Only linked repositories will have their scans enriched with git context.
You can link up to 500 repositories per integration. Repositories are matched to scans using an HMAC-SHA256 hash of the canonicalized git remote URL. The web URL (e.g., https://github.com/org/repo) is stored for display purposes, but the original clone URL is only stored in hashed form.
What Data Is Accessed
| Data | Accessed | Stored |
|---|---|---|
| Repository list and metadata | Yes | Cached (name, visibility, default branch) |
| Pull request metadata | Yes | Cached (PR number, state, review status, branch) |
| PR titles | On-demand only | Not stored |
| Source code | AST parsing only (Code Graph) | Never |
| Commit contents | Never | Never |
| Author names/emails | Hashed only | HMAC hash for matching |
Disconnecting
To disconnect an integration:
- Go to Settings > Integrations
- Click Disconnect on the integration card
- Confirm the action
Disconnecting will:
- Revoke the access token or uninstall the GitHub App
- Delete all cached repository data and PR metadata
- Remove git enrichment from future scans (existing scan data is preserved)
This action cannot be undone. You can reconnect at any time by setting up a new integration.
Troubleshooting
"Authentication expired" / Needs Reconnect
The token has been revoked or expired. Click Disconnect and set up a new integration.
Repos not showing in Manage Repos
- Verify the token has access to the repositories you expect
- For GitHub PATs, ensure the token's Resource owner is set to the correct organization
- For GitLab, ensure the token has
read_apiscope
Scans not enriched with PR data
- Verify the repository is linked (check mark in Manage Repos)
- The scan's git remote URL must match a linked repository
- PR data refreshes every sync cycle (the scheduler runs every 15 minutes)
Self-hosted GitLab connection fails
- Confirm the instance uses HTTPS on port 443 or 8443
- Ensure the instance is reachable from the public internet
- Check that the token has not expired