Source Code Integration FAQ

Answers to frequently asked questions about connecting source code repositories to Safeguard.sh.

General Questions

What source code platforms are supported?

Safeguard.sh supports:

GitHub (Cloud and Enterprise)
GitLab (Cloud and Self-Managed)
Bitbucket (Cloud and Server)
Azure Repos (Cloud and Server)
Generic Git repositories (any Git URL)

Can I connect multiple repositories at once?

Yes. When configuring a private integration, you can select multiple repositories from your organization after authenticating. Each repository becomes a separate project in Safeguard.sh.

Do I need to install anything in my repository?

No. Safeguard.sh clones your repository securely to generate SBOMs. No webhooks, apps, or files need to be added to your repository (though you can optionally configure webhooks for automatic scanning).

How often are repositories scanned?

By default, repositories are scanned:

On initial connection - Full scan
Daily - Continuous monitoring for new vulnerabilities
On webhook trigger - If webhooks are configured
Manual - When you request a rescan

Authentication

What permissions do I need to grant?

Platform	Required Permissions
GitHub	`repo` (read) for private repos, none for public
GitLab	`read_repository` scope
Bitbucket	Repository Read permission
Azure Repos	Code Read scope

Are my credentials stored securely?

Yes. All credentials are:

Encrypted at rest using AES-256
Never logged or displayed after initial entry
Stored in isolated, secure vaults
Accessible only to your organization

Can I use deploy keys instead of personal tokens?

Currently, Safeguard.sh requires personal access tokens or app credentials for authentication. Deploy keys are not supported because they don't provide the ability to list repositories.

My token expired. What happens?

When a token expires:

Scheduled scans will fail
You'll receive a notification
Existing SBOMs remain available
Update your credentials in Integrations → Edit Configuration

Repository Access

Can I scan private repositories?

Yes. Private repositories require authentication:

Select the Private tab when configuring
Enter your access token or credentials
Verify the connection
Select which private repos to scan

Can I limit which branches are scanned?

Yes. When configuring a repository, you can specify:

A single branch (e.g., main)
Multiple branches (e.g., main, develop)
Tags (e.g., v1.0.0)
All branches

How do I scan a specific tag or release?

When adding or editing a project configuration:

In the Branch/Tag field, enter the tag name (e.g., v1.2.3)
Safeguard.sh will scan that specific tag
Create separate projects for different versions if needed

Can I exclude certain files or directories from scanning?

Yes. Create a .safeguardignore file in your repository root:

# Ignore test files
test/
tests/
__tests__/

# Ignore documentation
docs/
*.md

# Ignore build artifacts
dist/
build/

Monorepos

How do I scan a monorepo?

For monorepos with multiple packages:

Option 1: Scan the entire repo

Creates one SBOM with all dependencies
Simple setup
May include development-only dependencies

Option 2: Scan specific packages

Create separate configurations for each package
Point to subdirectories (e.g., packages/app1)
More granular SBOMs

Can I scan subdirectories?

Yes. When configuring a repository, you can specify a subdirectory path:

Add the repository URL
In advanced settings, set the Root Path (e.g., packages/frontend)
Only that directory will be scanned

Scanning Behavior

What files does Safeguard.sh look for?

Safeguard.sh detects manifest files including:

Language	Files
JavaScript	`package.json`, `package-lock.json`, `yarn.lock`
Python	`requirements.txt`, `Pipfile`, `pyproject.toml`
Java	`pom.xml`, `build.gradle`
Go	`go.mod`, `go.sum`
Rust	`Cargo.toml`, `Cargo.lock`
.NET	`*.csproj`, `packages.config`
Ruby	`Gemfile`, `Gemfile.lock`
PHP	`composer.json`, `composer.lock`