> ## Documentation Index
> Fetch the complete documentation index at: https://docs.amplify.security/llms.txt
> Use this file to discover all available pages before exploring further.

# GitHub

> Secure your GitHub repositories with Amplify.

## Overview

The Amplify GitHub App integrates the Amplify Security Platform with GitHub to secure your
GitHub repositories and provide actionable security code fixes directly to developers in
Pull Requests.

<Note>
  The Amplify Security GitHub integration is currently in beta. Documentation and functionality
  may change frequently.
</Note>

<CardGroup cols={2}>
  <Card title="GitHub App" icon="code-simple" href="https://github.com/apps/amplify-security">
    View the Amplify Security GitHub App on the GitHub Marketplace.
  </Card>

  <Card title="GitHub Action" icon="circle-play" href="https://github.com/marketplace/actions/amplify-runner-action">
    View the Amplify Security GitHub Action on GitHub.
  </Card>
</CardGroup>

## Components

### GitHub App

The Amplify GitHub App installs in your GitHub organization and allows Amplify to make Requests
to the GitHub API on behalf of your organization. Amplify uses these privileges to receive
notifications about Pull Requests and GitHub Actions Workflows, and to commit security code fixes
directly to your repositories when approved by a user. Amplify also has the ability to open Pull
Requests and comment on Pull Requests to provide security feedback through the GitHub App.

### GitHub Action

The Amplify GitHub Action is an action that runs configured security tools on your GitHub repository
and sends security findings to the Amplify Platform. The Amplify GitHub Action is installed into the
GitHub repositories added to the Github App when you approve the installation Pull Requests created
by the Amplify Platform.

### Amplify Workflow

The Amplify GitHub Actions Workflow is the workflow installed in any GitHub repositories added
to the Amplify Platform. This Workflow runs the Amplify GitHub Action on every Pull Request and
on every push to the repository's `main` or `develop` branch.

```yaml .github/workflows/amplify.yml theme={null}
---
name: Amplify Security
on:
  pull_request: {}
  workflow_dispatch: {}
  push:
    branches: ["main", "develop"]

permissions:
  contents: read
  id-token: write

jobs:
  amplify-security-scan:
    name: Amplify Security Scan
    runs-on: ubuntu-latest
    if: (github.event_name != 'pull_request' ||
      github.repository_id == github.event.pull_request.head.repo.id) &&
      github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
        uses: actions/checkout@v5
      - name: Amplify Runner
        uses: amplify-security/runner-action@main
```

<Warning>
  The Amplify Platform currently relies on the name of the Workflow to track and display GitHub Workflows
  correctly. Do not change the name of the Workflow. This restriction will be lifted soon.
</Warning>

## Configuration

### Scanning branches other than `main` or `develop`

By default, this Amplify workflow runs on all Pull Requests and on every push to the repository's
`main` or `develop` branch. To run on any additional branches, add them to the list of branches in
`.github/workflows/amplify.yml`. For example, we will modify the section below to also execute on
the `staging` branch. Note that the change in syntax from the above YAML is simply for readability.

```yaml .github/workflows/amplify.yml theme={null}
---
name: Amplify Security
on:
  pull_request: {}
  workflow_dispatch: {}
  push:
    # this is equivalent to '["main", "develop", "staging"]'
    branches:
      - main
      - develop
      - staging
```