Integrations

Integrations allow boring.tools to connect to your Git hosting platforms (GitHub, Forgejo) for repository browsing and automated SBOM generation. If you do not want boring.tools to access your repositories directly, you can also generate SBOMs in CI/CD and upload them with the boring.tools GitHub Action.

Integration list

The Integrations page shows all configured Git connections:

Integration list in light mode

Integration list in dark mode

Each integration displays:

  • Name — Descriptive name for the connection
  • Status — Active, Pending, or Error with details
  • Provider — GitHub or Forgejo
  • Account — Connected GitHub organization or Forgejo instance
  • Username — Remote username used for authentication

Integration status

StatusMeaning
ActiveConnection is working and repositories are accessible
PendingIntegration created but authentication not yet completed
ErrorConnection failed — click to see error details

Add an integration

  1. Navigate to Integrations
  2. Click Add Connection
  3. Select the provider (GitHub or Forgejo)
  4. Follow the authentication flow

Add integration form in light mode

Add integration form in dark mode

GitHub integration

For GitHub:

  1. Click Connect GitHub
  2. You’ll be redirected to GitHub OAuth
  3. Authorize the boring.tools app
  4. Select which repositories to grant access to
  5. You’ll be redirected back with the integration active

The GitHub App only requests read access to code and metadata. It cannot modify your repositories.

Forgejo integration

For Forgejo:

  1. Enter the Forgejo instance URL
  2. Enter your personal access token
  3. Click Connect

Create a Forgejo personal access token with repo:read scope in your Forgejo settings.

Browse repositories

Once an integration is active, click Browse Repos to explore repositories:

Repository browser in light mode

Repository browser in dark mode

The repository browser lets you:

  • View all accessible repositories
  • Browse branches and commits
  • Link repositories to projects
  • Trigger SBOM generation
  1. Browse repositories via an active integration
  2. Find the repository you want to link
  3. Click Link to project
  4. Select the target project
  5. Choose the branch to scan

Once linked, boring.tools will:

  • Poll the repository for new commits (every 10 minutes)
  • Generate an SBOM automatically on each commit
  • Run vulnerability scans on the SBOM
  • Display results in the project dashboard

See Git Integration for details on automated scanning.

Upload SBOMs from CI/CD

You can use boring.tools without a Git integration by generating an SBOM in your pipeline and uploading it to a project. The public boring-tools/upload-sbom-action GitHub Action uploads an existing CycloneDX JSON file; it intentionally does not generate the SBOM so you can choose your own generator. See Upload SBOMs from GitHub Actions for the landing-page overview.

A common setup is Syft plus the boring.tools upload action:

- uses: actions/checkout@v4

- name: Install Syft
  uses: anchore/sbom-action/download-syft@v0

- name: Generate CycloneDX SBOM
  run: syft dir:. -o cyclonedx-json=sbom.cdx.json

- name: Upload SBOM to boring.tools
  uses: boring-tools/upload-sbom-action@v1
  with:
    api-key: ${{ secrets.BORING_TOOLS_API_KEY }}
    project-id: ${{ vars.BORING_TOOLS_PROJECT_ID }}
    sbom-file: sbom.cdx.json

Use this path when you want to keep repository access inside your own CI/CD system, when the repository is not reachable by the boring.tools Git integration, or when your organization already has a standard SBOM generation workflow.

The GitHub Action is distributed from the public boring-tools/upload-sbom-action repository. Use @v1 for the stable major version, or pin to a full version tag such as @v1.0.0 for an immutable workflow reference. For the security rationale behind stricter pinning, see GitHub Action tags are part of your software supply chain.

Reconnect an integration

If an integration enters Error state (expired token, revoked access), click Reconnect to re-authenticate:

  1. Click Reconnect next to the integration
  2. Follow the authentication flow again
  3. The integration returns to Active state

Delete an integration

Click Delete and confirm. This will:

  • Remove the connection
  • Revoke all access tokens
  • Unlink all repositories from projects

Warning: Deleting an integration does not delete the SBOMs already generated. Projects will retain existing scan data, but automated scanning will stop.

Configure GitHub App permissions

For GitHub integrations, click Configure to manage the GitHub App installation:

  • Add or remove repository access
  • View webhook delivery logs
  • Uninstall the app

This opens the GitHub App settings page in a new tab.

Last updated: June 4, 2026