← All guides

Guide · 2 min

Install the GitHub App

Two clicks to install. Every pull request gets an automatic security check and inline review comments on the offending lines. No workflow file, no API key, no CI config.

GitHub App vs. GitHub Action — which should I use?

Both scan PRs. The differences:

  • GitHub App — install once across all your repos. Zero config. Best for personal projects, indie shops, or anyone who wants “just turn it on.”
  • GitHub Action — drop a YAML file in each repo. More control (fail-on threshold, SARIF upload to Security tab, custom paths). Best for teams with existing CI/CD.

They're not mutually exclusive — the App is fine to install alongside an Action, you'll just see two checks on PRs. Most users start with the App and graduate to the Action when they need fail-on-severity gating.

1

Install on your account

Open the install page and pick which repositories the App can scan. You can choose All repositories or a curated Selected repositories list.

Install on GitHub →

GitHub will ask you to confirm permissions: read access to code and pull requests, write access to checks and pull-request comments. Approve and click Install.

2

Sign in to link your plan

After install, GitHub redirects you to xploitscan.com/github/setup. Sign in (or create an account) so we can match the install to your XploitScan plan. Free, Indie, Pro, and Team users all see the right rule set on every PR.

If you skip the sign-in redirect, your PRs still get scanned — just with the free 30-rule set. Sign in any time at /dashboard/github to upgrade them to Pro detection.

3

Open a test PR

Make any change on a branch and open a pull request. Within ~10 seconds you'll see:

· An XploitScan check on the PR (Checks tab) with a severity table

· Inline review comments on the diff for each finding, with rule ID and a fix recommendation

· A footer line on the check showing your tier (Free / Indie / Pro)

No findings? Try adding a string like const KEY = "sk_live_51HxxYYzz..." on a branch and opening a PR. The hardcoded-secret rule should catch it.

4

(Optional) Make it a required check

In your repo, go to Settings → Branches, edit the rule for your default branch, and add XploitScan to required status checks. Now critical or high findings block the merge until they're fixed.

Troubleshooting

  • No XploitScan check appears on the PR

    Check that the PR's repo is included in the App's repo selection. From /dashboard/github click Configure repos on your installation. Also verify the PR changed at least one source file — config-only / docs-only / lockfile-only PRs are skipped.

  • Findings show but tier says “Free” even though I'm on Pro

    Your install isn't linked to your XploitScan account yet. Visit /dashboard/github while signed in — you'll see the link prompt automatically.

  • Inline comments don't appear, but the check does

    Inline comments only post on lines that are part of the PR diff. Findings on unchanged lines stay in the check summary. Also: forks of public repos can't receive comments — that's a GitHub safety restriction we can't override.

  • I want to uninstall

    From /dashboard/github click Configure repos → scroll to Danger zone → Uninstall. Or directly at github.com/settings/installations.

Want stricter controls (fail-on threshold, SARIF upload to the Security tab, custom paths)?

Next: Add the GitHub Action →
Guide: Install the GitHub App — XploitScan