Get a Demo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Overview

The Hopper GitHub integration connects your GitHub repositories to Hopper’s security engine via secure, read-only Git access. It performs deep static and dependency analysis to surface only exploitable vulnerabilities, not noise. Using function-level reachability, Hopper prioritizes real risk, flags license violations, and generates SBOMs — without touching your CI/CD.

Capabilities

  • Automatic repository discovery across connected GitHub organizations or user accounts
  • Agentless, read-only integration using Git over HTTPS or SSH
  • Static code and dependency analysis across direct and transitive components
  • Function-level vulnerability reachability analysis for accurate triage
  • License violation detection based on organizational policy
  • SBOM generation in SPDX and CycloneDX formats
  • Developer-ready remediation guidance, including file/function location and fix suggestions

Requirements

  • Hopper account
  • GitHub or GitHub Enterprise Server account
  • Permission to install GitHub Apps

Setup Instructions

  1. Log in to the Hopper platform.
  2. Navigate to Integrations > GitHub.
  3. Install / configure Hopper’s GitHub app.
  4. Hopper will begin cloning and analyzing the repositories—no CI/CD configuration required.

Permissions

Hopper requires the following permissions:

  • Read access to repository metadata (e.g., names, branches)
  • Read access to file contents for static analysis

The integration does not:

  • Modify, write to, or delete any code or repositories
  • Require admin access or organization ownership
  • Access GitHub Actions, CI pipelines, or secrets

Security and Data Handling

  • All repository access occurs over encrypted HTTPS or SSH.
  • Hopper clones repositories securely for analysis and performs all processing in ephemeral environments.
    Source code is not persisted or stored long-term.
  • No code is pushed or written back to GitHub at any time.

Optional integration with artifact registries (e.g., JFrog) or ticketing platforms (e.g., Jira) allows Hopper to unify source, binary, and workflow visibility.

Output

Hopper provides precise and actionable outputs for each GitHub repository:

  • Reachable vulnerabilities, prioritized based on actual usage in the codebase
    • CVE metadata
    • Exploitability path (function-level call graphs)
    • File and function location
    • Fix effort estimation and upgrade guidance

  • License policy violations
    • Flagged by license type (e.g., GPL, AGPL, LGPL)
    • Linked to specific dependencies and affected paths

  • Exportable SBOMs
    • Formats: SPDX and CycloneDX
    • Includes full dependency tree with license and version info

Findings are displayed in the Hopper dashboard and are optionally exportable via API, PDF, or JSON.

Support

For troubleshooting or technical questions, contact: support@hopper.security

ON THIS PAGE

Heading 2
Heading 3
Heading 4
Heading 5
Heading 6