WhiteSource Bolt for Github FAQ


  • Get Started
  • Usage
  • Troubleshooting
  • Get Started
    • What is WhiteSource Bolt for GitHub?

      WhiteSource Bolt for GitHub is a FREE app, which continuously scans all your repos, detects vulnerabilities in open source components and provides fixes. It supports both private and public repositories, to make sure nothing puts your product at risk.

      We’ve got you covered with over 200 programming languages support and continuous tracking of multiple open source vulnerabilities databases like the NVD and additional security advisories.

    • How to install?

      In order to install the WhiteSource Bolt for GitHub App, just go to the App page and click the ‘Install’ button. If you can’t see the ‘Install’ button, sign in to GitHub.com by clicking on ‘Sign In‘ and enter your credentials. For further instructions, you can find the documentation here.

    • I'm a WhiteSource customer and I'd like to start using WhiteSource Bolt for GitHub. Is it included in my subscription?

      WhiteSource Bolt for GitHub is free of charge and allows for an unlimited number of scans on any of your repositories.

    • What types of GitHub repositories are supported?

      WhiteSource Bolt for GitHub currently supports public and private repositories on GitHub.com. Archived repositories are currently not supported.

    • Can I use this App on my GitHub Enterprise account?

      Support for GitHub Enterprise is coming soon.

    • What is the daily repo scan limit and how is it reached?

      Any valid ‘push’ event triggers a new scan. You are limited to 5 ‘push’ actions per repository per day. See here for more information. This limitation is not applicable to WhiteSource paying customers.

    • How can I complete the App installation?

      Once you have selected the GitHub repositories on which to install the App, a WhiteSource registration form will be displayed. Fill out the basic form details and click ‘Submit’.
      If you are a WhiteSource paying customer, follow these steps on how to fill out the form.

    • What is the verification process?

      In case your GitHub email is marked as private (see GitHub profile settings), the registration form won’t pre-fill your email. To verify your email address, a verification email containing a link is sent to you. Once you click on the link, the installation will be activated and you can start using WhiteSource Bolt for GitHub.

    • If I install Bolt for GitHub with my email settings set to public, will I need to verify the registration?

      If your GitHub account has a public email address set, the registration form will pre-fill your email address, and you won’t receive a ‘verification’ email. You can directly submit the form and start using the App.

      You can choose to modify the email value. In this case, a verification process will be required.

  • Usage
    • What happens after the app is installed?
      1. After the installation, we will scan your repositories for vulnerabilities. For each found vulnerability, a new GitHub issue labeled “security vulnerability” is created.
      2. In each of your selected repositories, we will create a new “.whitesource” file in the root of the repository. This file will be used to apply necessary configurations by WhiteSource.


    • When is a security scan initiated?

      A scan is triggered by a valid GitHub ‘push’ event. A valid ‘push’ event needs to meet one of the requirements defined here.

  • Troubleshooting
    • GitHub shows the Bolt for GitHub App is installed but I don't see anything, why?

      This can happen due to one of the following:

      1. You haven’t completed the installation or verification process.
      2. The ‘Issues’ tab is disabled for your repository. To enable it, go to your GitHub repository ‘Settings’ page and under the ‘Features’ section, select the ‘Issues’ checkbox.
      3. No vulnerabilities were found in the scanned repository.
      4. If you installed the App on a large number of repositories, the scan may still be running.

      e. You have reached your daily repository limit

    • Still encountering technical issues?

      Check out our documentation or contact support here: