Documentation Index
Fetch the complete documentation index at: https://support.configview.com/llms.txt
Use this file to discover all available pages before exploring further.
ConfigView pulls GitHub data through one Personal Access Token (PAT) with enterprise-level scopes, plus your enterprise slug. The same PAT covers all 46 endpoints — there is no separate SCIM, billing, or audit credential.
You will end up with 2 secrets in ConfigView (GITHUB_TOKEN, GITHUB_ENTERPRISE_SLUG) when setup is complete.
Plan requirement. Most endpoints require a GitHub Enterprise Cloud subscription. A handful (repos, repo_*, org_* basics) work on Team or Free orgs too, but the enterprise-tier endpoints (audit log, billing, runners, Copilot, secret-scanning aggregation, members-by-consumed-license) only function for an Enterprise account. If you are not on Enterprise Cloud, you can still enable the org and repo endpoints — the enterprise ones will fail cleanly.
Step 1: Identify your enterprise slug
Open https://github.com signed in as a GitHub user who is an Enterprise Owner.
- Click your profile picture → Your enterprises
- Click your enterprise
- The URL is
https://github.com/enterprises/<slug> — copy the <slug> portion
That slug is your GITHUB_ENTERPRISE_SLUG.
If you do not see Your enterprises, you are not an Enterprise Owner on any enterprise. You can still proceed using org-level endpoints only — set GITHUB_ENTERPRISE_SLUG to any non-empty placeholder (e.g. none) and skip every script whose display name begins with Enterprise.
Step 2: Create the Personal Access Token
ConfigView uses a classic PAT (not fine-grained) because GitHub’s enterprise endpoints, audit log, and Copilot APIs are not yet supported under fine-grained PATs.
- Sign in to GitHub as the Enterprise Owner identified in Step 1
- Open https://github.com/settings/tokens
- Click Generate new token → Generate new token (classic)
- Note:
ConfigView
- Expiration: pick a duration that matches your secret-rotation policy (90 days, 1 year, or custom)
- Select scopes: check the boxes below. The scope you need depends on which endpoints you plan to enable — checking all of them is the simplest path:
| Scope | Why | Endpoints it unlocks |
|---|
read:enterprise | Enterprise account + members + audit log | All Enterprise-prefixed endpoints |
read:org | Org structure, teams, members | Organizations, Org Members, Teams, Team Members, Outside Collaborators |
read:audit_log | Org-level audit log | Org Audit Log |
admin:org (read-only is implied) | Webhooks, installations, fine-grained PATs, IP allow list, settings | Installed GitHub Apps, Fine-Grained PATs, Org Webhooks, IP Allow List, Org Settings, Org Actions Permissions |
repo | Private repo metadata, branch protection, env secrets (names only) | Repositories (private), Branch Protection, Repo Secrets, Environments, Webhooks, Deploy Keys |
security_events | Dependabot, code-scanning, secret-scanning alerts | Dependabot Alerts, Code Scanning Alerts, Secret Scanning Alerts (Org + Enterprise) |
manage_billing:enterprise | Enterprise billing endpoints | Enterprise Billing — Actions / Packages / Shared Storage |
copilot (or manage_billing:copilot) | Copilot seat + usage + billing | Copilot Seat Assignments, Copilot Usage, Copilot Billing Summary |
read:user, user:email | SSH/GPG/SAML key metadata for enterprise members | User SSH Keys, User GPG Keys, SAML/SSO Identities |
- Click Generate token
- Copy the token (starts with
ghp_...). You will not be able to see it again — store it somewhere safe.
SAML SSO authorization. If your enterprise enforces SAML SSO, after creating the token you must authorize it for SSO: on the token page, find the new token in the list and click Configure SSO → Authorize for your enterprise. Otherwise every API call returns 403.
Read-only scopes only. ConfigView never writes to GitHub. The scopes above let it call GET endpoints; the API has no concept of “read-only token,” so a repo scope technically allows writes — but the scripts only issue reads.
Step 3: Add the secrets to ConfigView
- Go to your ConfigView dashboard:
https://{companyname}.configview.com/admin/secret/
- Click Add Secret and create:
GITHUB_TOKEN: the ghp_... token from Step 2GITHUB_ENTERPRISE_SLUG: the slug from Step 1
- Click Save
Step 4: Enable the GitHub scripts in ConfigView
- Go to:
https://{companyname}.configview.com/admin/cron/
- You should see github in the list of available apps
- Select the scripts you want to run. Group them by tier — enable only the tiers that match your plan:
Enterprise tier (Enterprise Cloud required)
| Script | Notes |
|---|
| Enterprise Account | Single row — name, billing email, created date |
| Enterprise Owners & Billing Managers | Who can administer the enterprise |
| Enterprise Members (Consumed Licenses) | Authoritative seat count for billing reconciliation |
| Enterprise Pending Invitations | Outstanding invites that aren’t consuming seats yet |
| Enterprise Organizations | Every org under the enterprise. Most other scripts depend on this. |
| Enterprise Audit Log | Last 30 days of enterprise-level admin events |
| Enterprise Billing — Actions / Packages / Shared Storage | Three separate scripts for the three billable units |
| Enterprise Self-Hosted Runners | Inventory of enterprise-level runners |
| Enterprise Runner Groups | Runner groups + which orgs/repos can use them |
| Enterprise Secret Scanning Alerts | Cross-org rollup |
| Copilot Seat Assignments | Who has a Copilot seat |
| Copilot Usage (Daily) | Daily active users, suggestions, acceptance rate |
| Copilot Billing Summary | Seat count + per-seat cost |
Org tier (works on any GitHub Team or Enterprise org)
| Script | Notes |
|---|
| Organizations | All orgs under the enterprise. Almost every org/repo script depends on this. |
| Org Members | Per-org member list with role (admin/member) |
| Outside Collaborators | Non-members with access to org repos |
| Org Pending Invitations | Outstanding org invites |
| Teams | All teams in each org |
| Team Members | Membership of each team. Depends on Teams. |
| Team Repository Permissions | Which repos each team has access to + at what permission. Depends on Teams. |
| Installed GitHub Apps | GitHub Apps installed on the org (not OAuth) |
| OAuth Apps (from Audit Log) | Extracted from oauth_authorization.create audit events — there is no direct API |
| Fine-Grained PATs | PATs that have access to org resources |
| Org Webhooks | Webhooks configured at the org level |
| Org Secrets (Names) | Names only — GitHub never returns secret values |
| Org Actions Variables | Workflow variables at the org level (names + visibility) |
| Org Actions Permissions | Which actions allowed, default workflow permissions |
| Security Manager Teams | Teams granted the security-manager role |
| Custom Repository Roles | Org-defined custom roles |
| Dependabot / Code Scanning / Secret Scanning Alerts | Three separate scripts for the three alert kinds (org rollup) |
| IP Allow List | Enabled status + entries |
| Org Audit Log | Last 30 days of org-level events. Same source as OAuth Apps — enable both together. |
| Org Settings | Misc org settings (default repo permission, member privileges, etc.) |
Repo tier
| Script | Notes |
|---|
| Repositories | Every repo across every visible org. All repo_ scripts depend on this.* |
| Branch Protection (Default Branch) | Default branch only — feature/release branches are not walked |
| Repo Secrets (Names) | Names only |
| Repo Environments | Environments + their protection rules |
| Repo Collaborators | Per-repo direct + team-derived access |
| Repo Webhooks | Repo-level webhooks |
| Repo Deploy Keys (Metadata) | Fingerprints, last-used dates — never the private key |
User tier
| Script | Notes |
|---|
| User SSH Keys | Per enterprise-member SSH key metadata. Depends on Enterprise Members. |
| User GPG Keys | Per enterprise-member GPG key metadata. Depends on Enterprise Members. |
| SAML/SSO Identities | Mapping between GitHub user and SAML NameID. Depends on Enterprise Members. |
- Click Save
Note: ConfigView wires the parent-child dependencies automatically (e.g. org_members runs after organizations). You only need to make sure the parent script is enabled when you enable a child.
Step 5: Verify
- Go to:
https://{companyname}.configview.com/admin/status/
- Run the GitHub health check
- The check should pass with your enterprise name + at least one organization listed
If a check fails:
401 Bad credentials — Token expired, revoked, or has zero scopes. Re-issue from Step 2.403 Resource not accessible by personal access token — Token missing a required scope. Compare the failing endpoint against the scope table in Step 2.403 must use SAML SSO to access this resource — Authorize the token for SSO (Step 2, final note).404 Not Found on enterprise endpoints — GITHUB_ENTERPRISE_SLUG is wrong or the token’s owner is not an Enterprise Owner.Org Members finds zero outside collaborators / pending invites — Frequently legitimate; the org may genuinely have none. Cross-check against https://github.com/orgs/<org>/people.
Data Tables
Once the scripts run, the corresponding tables are created in your database. All tables include a run_at column for historical tracking. Selected highlights below — see manifest.json for the full list.
| Table | Source | Key Columns |
|---|
github_enterprise | /enterprises/{slug} | name, slug, created_at, billing_email |
github_enterprise_members | /enterprises/{slug}/consumed-licenses | login, github_com_user, github_com_member, license_type, last_activity_at |
github_organizations | /enterprises/{slug}/organizations | login, id, description, default_repository_permission |
github_org_members | /orgs/{org}/members | org, login, role (admin/member), site_admin |
github_repos | /orgs/{org}/repos | org, name, private, archived, fork, pushed_at, size_kb, default_branch |
github_repo_branch_protection | /repos/{org}/{repo}/branches/{branch}/protection | required_status_checks_json, require_pr_reviews, restrict_pushes |
github_org_dependabot_alerts | /orgs/{org}/dependabot/alerts | repo, severity, state, dependency, ghsa_id, created_at |
github_copilot_seats | /enterprises/{slug}/copilot/billing/seats | login, plan_type, assignee_team, created_at, last_activity_at |
github_copilot_usage | /enterprises/{slug}/copilot/usage | day, total_suggestions_count, total_acceptances_count, total_active_users |
github_enterprise_audit_log | /enterprises/{slug}/audit-log | action, actor, repo, org, created_at, raw_json |
What you can’t ingest with this setup
- Private repo file contents. ConfigView reads metadata, not source. No commits, no blobs, no diffs.
- Issue / PR bodies. Not in scope. Add via custom query if needed.
- Actions workflow runs / job logs. Available via API but not wired in — open a feature request if useful.
- Audit log older than 30 days. GitHub retains 180 days but the API streams it lazily; the script pulls a rolling 30-day window. Cumulative history accumulates from successive runs in
run_at.
