Integrations
Integrations allow boring.tools to connect to your Git hosting platforms (GitHub, Forgejo) for repository browsing and automated SBOM generation. If you do not want boring.tools to access your repositories directly, you can also generate SBOMs in CI/CD and upload them with the boring.tools GitHub Action.
Integration list
The Integrations page shows all configured Git connections:


Each integration displays:
- Name — Descriptive name for the connection
- Status — Active, Pending, or Error with details
- Provider — GitHub or Forgejo
- Account — Connected GitHub organization or Forgejo instance
- Username — Remote username used for authentication
Integration status
| Status | Meaning |
|---|---|
| Active | Connection is working and repositories are accessible |
| Pending | Integration created but authentication not yet completed |
| Error | Connection failed — click to see error details |
Add an integration
- Navigate to Integrations
- Click Add Connection
- Select the provider (GitHub or Forgejo)
- Follow the authentication flow


GitHub integration
For GitHub:
- Click Connect GitHub
- You’ll be redirected to GitHub OAuth
- Authorize the boring.tools app
- Select which repositories to grant access to
- You’ll be redirected back with the integration active
The GitHub App only requests read access to code and metadata. It cannot modify your repositories.
Forgejo integration
For Forgejo:
- Enter the Forgejo instance URL
- Enter your personal access token
- Click Connect
Create a Forgejo personal access token with repo:read scope in your Forgejo settings.
Browse repositories
Once an integration is active, click Browse Repos to explore repositories:


The repository browser lets you:
- View all accessible repositories
- Browse branches and commits
- Link repositories to projects
- Trigger SBOM generation
Link a repository to a project
- Browse repositories via an active integration
- Find the repository you want to link
- Click Link to project
- Select the target project
- Choose the branch to scan
Once linked, boring.tools will:
- Poll the repository for new commits (every 10 minutes)
- Generate an SBOM automatically on each commit
- Run vulnerability scans on the SBOM
- Display results in the project dashboard
See Git Integration for details on automated scanning.
Upload SBOMs from CI/CD
You can use boring.tools without a Git integration by generating an SBOM in your pipeline and uploading it to a project. The public boring-tools/upload-sbom-action GitHub Action uploads an existing CycloneDX JSON file; it intentionally does not generate the SBOM so you can choose your own generator. See Upload SBOMs from GitHub Actions for the landing-page overview.
A common setup is Syft plus the boring.tools upload action:
- uses: actions/checkout@v4
- name: Install Syft
uses: anchore/sbom-action/download-syft@v0
- name: Generate CycloneDX SBOM
run: syft dir:. -o cyclonedx-json=sbom.cdx.json
- name: Upload SBOM to boring.tools
uses: boring-tools/upload-sbom-action@v1
with:
api-key: ${{ secrets.BORING_TOOLS_API_KEY }}
project-id: ${{ vars.BORING_TOOLS_PROJECT_ID }}
sbom-file: sbom.cdx.json
Use this path when you want to keep repository access inside your own CI/CD system, when the repository is not reachable by the boring.tools Git integration, or when your organization already has a standard SBOM generation workflow.
The GitHub Action is distributed from the public boring-tools/upload-sbom-action repository. Use @v1 for the stable major version, or pin to a full version tag such as @v1.0.0 for an immutable workflow reference. For the security rationale behind stricter pinning, see GitHub Action tags are part of your software supply chain.
Reconnect an integration
If an integration enters Error state (expired token, revoked access), click Reconnect to re-authenticate:
- Click Reconnect next to the integration
- Follow the authentication flow again
- The integration returns to Active state
Delete an integration
Click Delete and confirm. This will:
- Remove the connection
- Revoke all access tokens
- Unlink all repositories from projects
Warning: Deleting an integration does not delete the SBOMs already generated. Projects will retain existing scan data, but automated scanning will stop.
Configure GitHub App permissions
For GitHub integrations, click Configure to manage the GitHub App installation:
- Add or remove repository access
- View webhook delivery logs
- Uninstall the app
This opens the GitHub App settings page in a new tab.