2. Connect GitHub

CredWatch can scan two GitHub sources for your account: private repos and commit history. Both use a single GitHub personal access token (PAT) that you provide.

Why we ask for your token

Using your token instead of a CredWatch-owned account means rate limits are per-account (5,000 req/hr each — they don't get pooled with other customers), audit trails in GitHub show your account, and you can revoke access in one click without contacting us.

Step 1 — Create a GitHub PAT

You have two options. Either works.

Classic PAT (simplest)Fine-grained PAT (most secure)

1. Go to github.com/settings/tokens/new.
2. Note: CredWatch
3. Expiration: 90 days (rotate quarterly is a good rhythm).
4. Scopes:
   • repo (full — required to read private repo contents and commit patches)
   • read:org (so we can enumerate the orgs you belong to)
5. Click Generate token and copy the ghp_… value immediately.

1. Go to github.com/settings/personal-access-tokens/new.
2. Token name: CredWatch
3. Expiration: 90 days.
4. Resource owner: pick the org(s) you want to scan, or "Only select repositories" for specific ones.
5. Repository permissions:
   • Contents: Read-only
   • Metadata: Read-only (added automatically)
6. Account permissions: nothing required.
7. Click Generate token and copy the github_pat_… value.

Step 2 — Save it in CredWatch

1. In the portal go to GitHub.
2. Paste your token into Private Repository Access Token and click Save.
3. CredWatch immediately verifies the token and enumerates the repositories your token can see.

If verification succeeds you'll see a green ● Configured badge. If you ever see a red ⚠ Decrypt Error badge — re-paste the token. (That happens if the encryption key rotates on our side.)

Step 3 — Choose what to monitor

After your repos are enumerated, go to GitHub → Repositories. You'll see every repo your token can see, with a toggle next to each.

• Enable the toggle on each repo you want CredWatch to scan.
• Repos count against your plan's repo limit (see signup).
• Disabling a repo doesn't delete its findings — it just stops scanning new commits.

Start small

On Free or Starter, focus on your most sensitive repos first (infra-as-code, backend services). CredWatch finds the most leaks in repos that ship config alongside code.

Step 4 — Add custom patterns (optional)

CredWatch already detects 18+ standard secret types. If you have company-specific patterns — e.g. an internal key prefix like acme_internal_api_ — add them at Patterns → Add custom pattern.

Step 5 — Run your first scan

From the Scans page, click Run GitHub scan now. Watch the progress card update in real time. A typical 50-repo account takes 10–20 minutes for the first full scan; subsequent runs are faster because commit history is incremental.

---

Next: Add domains for web scanning → (Growth+) or Your first findings →