Connect a repo once and Fora AI scans it on every push to the default branch — no manual uploads, no CI config files, no GitHub App to install.
Once a repo is connected, Fora AI watches for pushes to its default branch
(usually main or master). Every time you push, we pull
the latest snapshot of the repo, run it through the same scan engine as a manual
ZIP upload, and save a full report — findings, severity breakdown, and a security
score — to your dashboard.
Go to github.com/settings/tokens and generate a fine-grained token scoped to the repo you want to connect, with Contents: Read and write and Webhooks: Read and write permissions.
In your dashboard, open GitHub Integrations, enter the repo as
owner/repo, paste the token, and click Connect repo.
Fora AI verifies access and registers a push webhook on the repo for you.
The next push to the default branch — from your terminal, an IDE, or even a direct commit in the GitHub UI — triggers a scan within seconds. No extra command, no CI file to add to your repo.
Every push scan appears in two places: the GitHub Integrations page, next to the repo it belongs to, and your normal Scan History — it's treated exactly like a manually uploaded ZIP scan, so it counts toward the same plan limits and shows the same detailed report.
Click Disconnect next to any connected repo. Fora AI removes the webhook from GitHub immediately and deletes the stored token — pushes to that repo stop triggering scans right away.
No. Fora AI uses a Personal Access Token, so there's nothing to install or get organization-admin approval for — connecting a repo takes under a minute.
Only pushes to the repository's default branch (usually main or master) trigger a scan. Pushes to feature branches are ignored.
Check the webhook's Recent Deliveries tab in your GitHub repo's Settings → Webhooks. A red/failed delivery there means GitHub couldn't reach Fora AI (check the response code); no delivery at all usually means the push landed on a branch other than the default one, or the repo's free-plan scan quota is used up.
Yes — it's stored only to read the connected repo and manage its webhook, it's never displayed again after you paste it, and disconnecting the repo removes it immediately.
Head to GitHub Integrations in your dashboard and paste your token.
Start scanning free