prpl documentation
Set up, scan, review, and defend
This is the documentation structure. Individual guides are intentionally marked as content placeholders until their screenshot-backed instructions are authored and reviewed.
Start here
Getting started
Orient each role and route readers to the shortest successful path.
Sign in and set up your account
Cover first GitHub sign-in, account state, and where settings live.
Install the private prpl Defender GitHub App
Document the owning-account restriction, repository selection, permissions, and installation verification.
Connect GitHub authentication
Explain OAuth versus a fine-grained token, required scopes, storage, rotation, and revocation.
Connect your first repository
Take a user from authenticated GitHub access to a selected repository and ref.
Scan repositories
Prepare a repository environment
Explain how environment synthesis is triggered, what it builds, and how readiness is verified.
Run a security scan
Cover the first hunt/scan trigger, options, expected stages, and completion signals.
Add and scan more repositories
Cover adding repositories, branches/refs, repeated scans, and repository inventory behavior.
Monitor environments and scan jobs
Map job and environment states to the pages where users inspect progress, logs, and failures.
Schedule recurring scans
Cover cadence selection, pause/resume, last-run state, and schedule failures.
Review and respond
Understand findings
Explain finding groups, evidence, severity, confidence, status, occurrences, and deduplication.
Acknowledge true positives or reject false positives
Document that acknowledgement confirms a true positive and immediately starts Defend patch generation; rejection marks a false positive.
Generate and review patches with Defend
Cover acknowledgement-triggered and bundled patch generation, eligibility, progress, generated patches, and revalidation.
Review and approve a Defend pull request
Explain the two-step PR request/approval flow, GitHub review, and merge handoff.
Maintain repository knowledge
Document knowledge cards, appropriate content, lifecycle, and their effect on later scans.
Archive scans, findings, and history
Explain reversible archive controls, filters, and the boundary with deletion.
Manage your organization
Organization administrator overview
Cover mapped owners and delegated org-admins across installation, authentication, repositories, seats, and delegation.
Invite members with initial repository access
Cover pending versus active members, reserved seats, resend/expiry, and initial repository scope and roles applied on acceptance.
Assign repository access and roles
Explain scope-first repository access and the named roles that refine permitted actions.
Manage members and seats
Cover seat counts, disabling, re-enabling, removing, offboarding, and limit escalation.
Manage the private GitHub App installation
Cover the owning-account restriction, adding/removing repositories, permission changes, suspension, uninstall, and recovery.
Use the organization risk dashboard
Explain estate totals, action queue, top risks, repository posture, and threat registry.
Reference
Roles and permissions
Define site roles, mapped ownership, delegated org-admin, membership, repo access, named roles, and capability boundaries.
Scan and finding lifecycle
Provide one canonical state map from repository connection through environment, scan, review, defend, PR, and archive.
GitHub authentication and permissions reference
List GitHub App/OAuth/token permissions, why each exists, and least-privilege alternatives.
Troubleshooting
Route common install, auth, clone, environment, scan, review, defend, PR, and seat failures.