GitHub App Integration
Collect repository metadata signals from your GitHub repositories.Repository signals only. No code analysis or runtime testing.
Quick Start
- 1Install the GitHub App
Visit the GitHub Marketplace and install HAIEC Control Signals on your repositories.
- 2Select Repositories
Choose which repositories HAIEC should monitor for control signals.
- 3Open a Pull Request
HAIEC automatically posts attestation readiness comments on new PRs.
Evidence Signals Collected
HAIEC collects 10 deterministic metadata signals from your repository. These are repository configuration signals, not security or compliance assessments:
Verifies main branch has protection rules enabled
Checks if PRs require at least one approval
Confirms automated dependency updates are active
Looks for SECURITY.md file in repository
Verifies LICENSE file exists
Checks for GitHub Actions workflows
Verifies CodeQL or similar scanning is enabled
Confirms secret scanning is active
Checks for commit signature verification
Verifies README.md exists with content
Pull Request Comments
When you open a pull request, HAIEC posts a comment showing your attestation readiness:
- - SOC2 CC6.1 - Branch protection not enabled
- - SOC2 CC7.1 - Dependabot not enabled
Trust Artifacts & Badges
After completing a compliance assessment, you receive a verifiable trust artifact with an embeddable badge.
Embedding Badges
Add this to your README.md:
[](https://haiec.com/artifact/SOC2-abc12345)Permissions Required
HAIEC requests minimal permissions to function:
| Permission | Access | Purpose |
|---|---|---|
| Contents | Read | Read SECURITY.md, LICENSE, README |
| Pull Requests | Read & Write | Post attestation comments |
| Metadata | Read | Repository information |
What HAIEC Does NOT Do
- We do NOT read, store, or analyze your source code
- We do NOT have write access to your code or branches
- We do NOT calculate compliance scores or make compliance determinations
- We do NOT share your data with third parties