Overview

Scrut integrates with GitHub using a secure GitHub App or OAuth connection to ingest repository metadata, user and team access, branch protection settings, and CI/CD and PR workflow evidence. It collects audit logs, pull-request reviews, and security alerts (when enabled), mapping these artifacts to compliance controls for continuous, audit-ready development governance.

Why Connect

• Provide repo access lists showing who can merge or push code
• Prove branch protections and PR reviews are enforced
• Centralize vulnerability alerts with remediation tracking for auditors

Supported Automated Tests

Scrut provides pre-built automated tests for Github. Here are a few examples of Scrut’s Github tests:

• Access reviews completed for all in-scope applications
• Github accounts associated with users
• Github accounts deprovisioned when employees leave

Supported Automated Evidence

Scrut automates the collection of some evidences for Github. Here are a few examples of Scrut’s Github-driven evidences that can be collected:

• Change Ticket
• Code Repository Branch Protection Settings
• Code Repository Server for Software Code Maintenance
• Code Review Results and Action Items
• Custom Code Review Prior Release
• Enabled Multi-Factor Authentication
• Offboarding - Logical Access & Physical Access Revocation
• Reports of User Access Reviews
• Report of Vulnerability Scan and Remediation Status
• Sample Releases - Code Requirements, Design Docs, Test Plans/Results, Approval, Release Notes
• Threat Intelligence for Information Security Threats
• VAPT (Vulnerability Assessment & Penetration Testing) reports
• User Access Approval list to Application, Infrastructure and Service