Add and scan more repositories
Cover adding repositories, branches/refs, repeated scans, and repository inventory behavior.
Outcome
You will have connected additional repositories to your Attack surface, scanned each at a pinned revision, and learned how repeat scans at new commits build fresh environments while the repository keeps one consolidated history.
Who can do it
- Customer accounts can add and scan any repository their GitHub credentials can read (and that they are authorized to analyze).
- Organization members can scan only repositories their organization owner has granted, with a seat grant or role that includes building the analysis harness. Adding a brand-new repository to an organization's estate is normally done by the owner.
- Waitlist accounts can connect GitHub access and pre-stage one repository (Save repository for launch) but cannot start scans.
- Site admins are unrestricted.
Before you begin
- GitHub access is connected, or you have a fine-grained read-only token that covers the new repository (see Connect GitHub authentication). A token saved earlier shows as GitHub token on file ✓ — you never need to re-paste it.
- Each scan pins an exact commit; know which branch, tag, or SHA you want.
- Only add repositories you are authorized to analyze.
Steps
Add a new repository
- Open Attack surface (
/byos) and click + Scan repository.The Attack surface landing header; call out the single + Scan repository button. - In the Scan a repository dialog, click Load repos
(or Refresh repos when a token is on file). Pick the repository from
the Repository picker; the Branches and
Tags selectors fill in and populate Repository URL
and Commit / ref for you. You can also paste the
Repository URL and Commit / ref directly.
The Scan a repository dialog with the repository picker and Commit / ref filled; call out the single Start scan button. - Optionally expand Scope and scan settings — a Known vulnerability description or Scope notes can focus the scan on what matters for this repository.
- Click Start scan and approve the build plan when it pauses for review (see Prepare a repository environment).
- Repeat for each repository. Every repository gets its own entry in the Attack surface inventory; open one and use the Switch repository selector to move between them.
Scan an existing repository at a new version
- Open the repository from Attack surface and click + Scan this repository.
- Click Load branches & tags, pick a branch or tag (or type a Commit / ref), and click Start scan. Your stored token is used automatically.
- Each scanned commit builds its own environment. Use the repository page's Version filter (default Latest version) to focus the tables on one environment, and the Scan filter to focus on one hunt.
Verify
- The new repository appears in the Attack surface inventory with its own scan
history, and the landing dashboard's Coverage tile counts it (repos
scanned rises once its first scan lands).
The Attack surface landing after adding a second repository; call out the newly added repository's row in the inventory. - The organization risk dashboard aggregates the latest scan of every repository you can see — new repositories join the rollup after their first completed scan.
- A repeat scan at a new ref adds a new environment under the same repository (the envs and builds counters increase; the history is consolidated, not duplicated).
Troubleshooting
“Load repos” fails or the picker is missing a repository
The token cannot see that repository. Fine-grained tokens list repositories explicitly — create or update one that includes the new repository, or use Use a different token in the dialog to paste it. See GitHub authentication and permissions reference.
The form rejects the launch with “commit (exact sha or ref) is required”
Scans pin an exact revision and never follow a moving branch tip implicitly. Fill Commit / ref with a SHA, branch, or tag.
“GitHub token auth is only supported for exact HTTPS GitHub repo URLs”
When a token is supplied, the repository URL must be the plain
https://github.com/owner/repo form — no embedded credentials, queries, or
extra path segments.
A teammate cannot see the repository you added
Repository visibility is granted per member. The organization owner must grant the repository (and a role) to that member — see Assign repository access and roles.
You are on the waitlist
You can pick your repository and click Save repository for launch; it is queued with an awaiting upgrade tag and nothing runs or is billed. Builds, hunts, and defend runs unlock when your account is upgraded.
Next steps
Put each repository on a cadence so coverage doesn't go stale: Schedule recurring scans. To keep an eye on all the builds and hunts you just launched, see Monitor environments and scan jobs.
Last verified against commit c0bf54d on 2026-07-10 · capture scenario: add-repositories