Skip to main content

Projects and source control

Use Projects to connect your code hosts and work with repositories at organization scope. Provider-specific setup lives under Settings → Integrations.

Projects list with Quick Connect and connected repositories

Use Connect Projects (or the Quick Connect cards) to add GitHub or GitLab; the table lists connected repositories and enabled features.

Supported connections

The Platform supports GitHub and GitLab for connecting repositories and configuring how runs are associated with your projects. Additional project types will be added as product capabilities evolve.

Typical workflow

  1. Open Projects for your organization.
  2. Use the connect flow to link GitHub or GitLab (OAuth, API token, or app install, depending on provider).
  3. Choose repositories and configure options in the integration screens.
  4. Follow the Post-configuration steps.
  5. Open a project and select a git ref to view SBOMs, vulnerabilities, and license compliance for that ref.

Integrations vs. Projects

  • Settings → Integrations — Install or update the provider integration, manage OAuth or GitHub App installation, and configure repository-level options.
  • Projects — List connected work, jump into a project, and open git ref-scoped views.

For policy settings that apply across the org (for example when pipelines should fail on certain vulnerabilities), see Vulnerability compliance and Integrations.

Post-configuration steps

After configuring a project there are some follow up steps which might be necessary, depending on the project type. If the changes described below are ever removed manually the RunSafe integration will break and the changes must be reintroduced either by reconfiguring the project or following the manual steps described in each section.

GitLab

Newly configured GitLab projects will by default have a merge request created which will need to be merged into the default branch to start seeing full RunSafe protections. If configuring a C++ project there will be a necessary manual step which will be detailed as a thread in the MR. If configuring a project which includes Docker/Podman image manipulation (push/pull/build/tag) the created MR will automatically include steps necessary to integrate Docker SBOM generation.

It is possible to disable the MR creation under your organization settings, which can be useful for cases like having a centralized CI template for builds.

GitHub

Newly configured GitHub projects will have an issue created which details the manual steps necessary for finalizing C/C++ integrations.