GITHUB_TOKEN, GITHUB_ENTERPRISE_SLUG) when setup is complete.
Plan requirement. Most endpoints require a GitHub Enterprise Cloud subscription. A handful (repos,repo_*,org_*basics) work on Team or Free orgs too, but the enterprise-tier endpoints (audit log, billing, runners, Copilot, secret-scanning aggregation, members-by-consumed-license) only function for an Enterprise account. If you are not on Enterprise Cloud, you can still enable the org and repo endpoints — the enterprise ones will fail cleanly.
Step 1: Identify your enterprise slug
Open https://github.com signed in as a GitHub user who is an Enterprise Owner.- Click your profile picture → Your enterprises
- Click your enterprise
- The URL is
https://github.com/enterprises/<slug>— copy the<slug>portion
GITHUB_ENTERPRISE_SLUG.
If you do not see Your enterprises, you are not an Enterprise Owner on any enterprise. You can still proceed using org-level endpoints only — setGITHUB_ENTERPRISE_SLUGto any non-empty placeholder (e.g.none) and skip every script whose display name begins with Enterprise.
Step 2: Create the Personal Access Token
ConfigView uses a classic PAT (not fine-grained) because GitHub’s enterprise endpoints, audit log, and Copilot APIs are not yet supported under fine-grained PATs.- Sign in to GitHub as the Enterprise Owner identified in Step 1
- Open https://github.com/settings/tokens
- Click Generate new token → Generate new token (classic)
- Note:
ConfigView - Expiration: pick a duration that matches your secret-rotation policy (90 days, 1 year, or custom)
- Select scopes: check the boxes below. The scope you need depends on which endpoints you plan to enable — checking all of them is the simplest path:
| Scope | Why | Endpoints it unlocks |
|---|---|---|
read:enterprise | Enterprise account + members + audit log | All Enterprise-prefixed endpoints |
read:org | Org structure, teams, members | Organizations, Org Members, Teams, Team Members, Outside Collaborators |
read:audit_log | Org-level audit log | Org Audit Log |
admin:org (read-only is implied) | Webhooks, installations, fine-grained PATs, IP allow list, settings | Installed GitHub Apps, Fine-Grained PATs, Org Webhooks, IP Allow List, Org Settings, Org Actions Permissions |
repo | Private repo metadata, branch protection, env secrets (names only) | Repositories (private), Branch Protection, Repo Secrets, Environments, Webhooks, Deploy Keys |
security_events | Dependabot, code-scanning, secret-scanning alerts | Dependabot Alerts, Code Scanning Alerts, Secret Scanning Alerts (Org + Enterprise) |
manage_billing:enterprise | Enterprise billing endpoints | Enterprise Billing — Actions / Packages / Shared Storage |
copilot (or manage_billing:copilot) | Copilot seat + usage + billing | Copilot Seat Assignments, Copilot Usage, Copilot Billing Summary |
read:user, user:email | SSH/GPG/SAML key metadata for enterprise members | User SSH Keys, User GPG Keys, SAML/SSO Identities |
- Click Generate token
- Copy the token (starts with
ghp_...). You will not be able to see it again — store it somewhere safe.
SAML SSO authorization. If your enterprise enforces SAML SSO, after creating the token you must authorize it for SSO: on the token page, find the new token in the list and click Configure SSO → Authorize for your enterprise. Otherwise every API call returns 403.
Read-only scopes only. ConfigView never writes to GitHub. The scopes above let it callGETendpoints; the API has no concept of “read-only token,” so areposcope technically allows writes — but the scripts only issue reads.
Step 3: Add the secrets to ConfigView
- Go to your ConfigView dashboard:
https://{companyname}.configview.com/admin/secret/ - Click Add Secret and create:
GITHUB_TOKEN: theghp_...token from Step 2GITHUB_ENTERPRISE_SLUG: the slug from Step 1
- Click Save
Step 4: Enable the GitHub scripts in ConfigView
- Go to:
https://{companyname}.configview.com/admin/cron/ - You should see github in the list of available apps
- Select the scripts you want to run. Group them by tier — enable only the tiers that match your plan:
Enterprise tier (Enterprise Cloud required)
| Script | Notes |
|---|---|
| Enterprise Account | Single row — name, billing email, created date |
| Enterprise Owners & Billing Managers | Who can administer the enterprise |
| Enterprise Members (Consumed Licenses) | Authoritative seat count for billing reconciliation |
| Enterprise Pending Invitations | Outstanding invites that aren’t consuming seats yet |
| Enterprise Organizations | Every org under the enterprise. Most other scripts depend on this. |
| Enterprise Audit Log | Last 30 days of enterprise-level admin events |
| Enterprise Billing — Actions / Packages / Shared Storage | Three separate scripts for the three billable units |
| Enterprise Self-Hosted Runners | Inventory of enterprise-level runners |
| Enterprise Runner Groups | Runner groups + which orgs/repos can use them |
| Enterprise Secret Scanning Alerts | Cross-org rollup |
| Copilot Seat Assignments | Who has a Copilot seat |
| Copilot Usage (Daily) | Daily active users, suggestions, acceptance rate |
| Copilot Billing Summary | Seat count + per-seat cost |
Org tier (works on any GitHub Team or Enterprise org)
| Script | Notes |
|---|---|
| Organizations | All orgs under the enterprise. Almost every org/repo script depends on this. |
| Org Members | Per-org member list with role (admin/member) |
| Outside Collaborators | Non-members with access to org repos |
| Org Pending Invitations | Outstanding org invites |
| Teams | All teams in each org |
| Team Members | Membership of each team. Depends on Teams. |
| Team Repository Permissions | Which repos each team has access to + at what permission. Depends on Teams. |
| Installed GitHub Apps | GitHub Apps installed on the org (not OAuth) |
| OAuth Apps (from Audit Log) | Extracted from oauth_authorization.create audit events — there is no direct API |
| Fine-Grained PATs | PATs that have access to org resources |
| Org Webhooks | Webhooks configured at the org level |
| Org Secrets (Names) | Names only — GitHub never returns secret values |
| Org Actions Variables | Workflow variables at the org level (names + visibility) |
| Org Actions Permissions | Which actions allowed, default workflow permissions |
| Security Manager Teams | Teams granted the security-manager role |
| Custom Repository Roles | Org-defined custom roles |
| Dependabot / Code Scanning / Secret Scanning Alerts | Three separate scripts for the three alert kinds (org rollup) |
| IP Allow List | Enabled status + entries |
| Org Audit Log | Last 30 days of org-level events. Same source as OAuth Apps — enable both together. |
| Org Settings | Misc org settings (default repo permission, member privileges, etc.) |
Repo tier
| Script | Notes |
|---|---|
| Repositories | Every repo across every visible org. All repo_ scripts depend on this.* |
| Branch Protection (Default Branch) | Default branch only — feature/release branches are not walked |
| Repo Secrets (Names) | Names only |
| Repo Environments | Environments + their protection rules |
| Repo Collaborators | Per-repo direct + team-derived access |
| Repo Webhooks | Repo-level webhooks |
| Repo Deploy Keys (Metadata) | Fingerprints, last-used dates — never the private key |
User tier
| Script | Notes |
|---|---|
| User SSH Keys | Per enterprise-member SSH key metadata. Depends on Enterprise Members. |
| User GPG Keys | Per enterprise-member GPG key metadata. Depends on Enterprise Members. |
| SAML/SSO Identities | Mapping between GitHub user and SAML NameID. Depends on Enterprise Members. |
- Click Save
Note: ConfigView wires the parent-child dependencies automatically (e.g.org_membersruns afterorganizations). You only need to make sure the parent script is enabled when you enable a child.
Step 5: Verify
- Go to:
https://{companyname}.configview.com/admin/status/ - Run the GitHub health check
- The check should pass with your enterprise name + at least one organization listed
401 Bad credentials— Token expired, revoked, or has zero scopes. Re-issue from Step 2.403 Resource not accessible by personal access token— Token missing a required scope. Compare the failing endpoint against the scope table in Step 2.403 must use SAML SSO to access this resource— Authorize the token for SSO (Step 2, final note).404 Not Foundon enterprise endpoints —GITHUB_ENTERPRISE_SLUGis wrong or the token’s owner is not an Enterprise Owner.Org Membersfinds zero outside collaborators / pending invites — Frequently legitimate; the org may genuinely have none. Cross-check againsthttps://github.com/orgs/<org>/people.
Data Tables
Once the scripts run, the corresponding tables are created in your database. All tables include arun_at column for historical tracking. Selected highlights below — see manifest.json for the full list.
| Table | Source | Key Columns |
|---|---|---|
github_enterprise | /enterprises/{slug} | name, slug, created_at, billing_email |
github_enterprise_members | /enterprises/{slug}/consumed-licenses | login, github_com_user, github_com_member, license_type, last_activity_at |
github_organizations | /enterprises/{slug}/organizations | login, id, description, default_repository_permission |
github_org_members | /orgs/{org}/members | org, login, role (admin/member), site_admin |
github_repos | /orgs/{org}/repos | org, name, private, archived, fork, pushed_at, size_kb, default_branch |
github_repo_branch_protection | /repos/{org}/{repo}/branches/{branch}/protection | required_status_checks_json, require_pr_reviews, restrict_pushes |
github_org_dependabot_alerts | /orgs/{org}/dependabot/alerts | repo, severity, state, dependency, ghsa_id, created_at |
github_copilot_seats | /enterprises/{slug}/copilot/billing/seats | login, plan_type, assignee_team, created_at, last_activity_at |
github_copilot_usage | /enterprises/{slug}/copilot/usage | day, total_suggestions_count, total_acceptances_count, total_active_users |
github_enterprise_audit_log | /enterprises/{slug}/audit-log | action, actor, repo, org, created_at, raw_json |
What you can’t ingest with this setup
- Private repo file contents. ConfigView reads metadata, not source. No commits, no blobs, no diffs.
- Issue / PR bodies. Not in scope. Add via custom query if needed.
- Actions workflow runs / job logs. Available via API but not wired in — open a feature request if useful.
- Audit log older than 30 days. GitHub retains 180 days but the API streams it lazily; the script pulls a rolling 30-day window. Cumulative history accumulates from successive runs in
run_at.