Skip to main content

Source Control Integrations

Cybrium connects to the four major source control platforms so that code analysis, secret scanning, SBOM generation, and autonomous fix workflows can operate on your repositories without a CI change.

Screenshot: SCM connections page with four provider tiles

Supported Providers

  • GitHub (cloud and Enterprise Server)
  • GitLab (cloud and self-managed)
  • Azure Repos
  • Bitbucket (cloud and Data Center)

Each provider is a separate connection; a single tenant may connect multiple instances of the same provider (for example, two distinct GitHub organizations).

OAuth versus Personal Access Token

Cybrium supports two authentication modes for every provider:

OAuth is the recommended path. Click Connect next to a provider, sign in to the provider's consent screen, and approve the requested scopes. Cybrium never sees the user's password, and the token can be revoked at the provider without touching Cybrium. OAuth tokens are refreshed automatically and are scoped to the authorizing user — actions Cybrium takes on the repository appear attributed to that user.

Personal Access Token (PAT) is the alternative for environments where OAuth is not available — air-gapped GitLab, locked-down Azure DevOps organizations, or service-account-only policies. Paste the token into the form, choose its scopes, and Cybrium stores it encrypted in the tenant's Vault namespace. PATs are the right choice when you want actions attributed to a dedicated bot account rather than a human.

Per-Tenant Allowances

Platform admins can restrict which providers each tenant is allowed to connect. The TenantScmAllowance matrix in the admin console controls this — a tenant on the Starter plan, for example, may be allowed GitHub Cloud but not GitHub Enterprise Server. Attempting to connect a disallowed provider surfaces a clear message and a pointer to the admin contact.

Tenant admin only

Only Tenant Admins can create, reauthorize, or delete SCM connections.

Repository Picker

Once a provider is connected, the repository picker appears anywhere a scan target is a repository — SAST scan launcher, secret scan scheduler, SBOM generator, and the chat's Scan Repository directive. The picker shows your organizations, projects, and repositories in the provider's native hierarchy, supports search and multi-select, and remembers recently-used repositories per user.

Private repositories are only visible to users whose OAuth scopes or PAT scopes grant them access on the provider side; Cybrium never elevates visibility beyond what the provider allows.