# GitHub Enterprise

In this guide, you will configure GitHub Enterprise audit log streaming to forward audit and Git events to Radiant Security via Amazon S3. GitHub Enterprise's audit log records security-relevant activity across your enterprise, including sign-ins, repository actions, organization and team changes, branch protection changes, and OAuth and personal access token activity, and can stream these events to an S3 bucket in near-real time. This integration covers both **GitHub Enterprise Cloud** and **GitHub Enterprise Server**.

### Prerequisites

* [ ] AWS account with permissions to create or modify S3 buckets, SNS topics, and IAM policies
* [ ] Owner (enterprise administrator) access to GitHub Enterprise
* [ ] An S3 bucket where GitHub will store logs (follow this AWS guide to create one: [Create an S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html))
* [ ] One of the following authentication methods for GitHub to write to your bucket:
  * **OpenID Connect (recommended)**. An IAM role and an IAM identity provider for GitHub's audit-log OIDC issuer. No long-lived credentials are stored on GitHub
  * **Access keys**. An IAM user with an Access Key ID and Secret Access Key that has `s3:PutObject` permission on the bucket
* [ ] Administrator role in Radiant Security

### Configure GitHub Enterprise

#### **Prepare the AWS side**

Ensure that you have your S3 bucket information at hand. Block all public access on the bucket. GitHub writes audit log files into your bucket as gzipped JSON-line files with the extension `.json.log.gz`. Radiant decompresses these on ingestion.

For full vendor instructions, refer to GitHub's documentation on [Streaming the audit log for your enterprise](https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise).

Choose one of the following authentication methods.

{% tabs %}
{% tab title="OpenID Connect (recommended)" %}

1. In the AWS IAM console, create a new **OpenID Connect identity provider** with the following values:
   * **Provider URL**: `https://oidc-configuration.audit-log.githubusercontent.com`
   * **Audience**: `sts.amazonaws.com`
2. Create an IAM role that trusts the OIDC provider you just created, scoped to your GitHub enterprise. Use the trust policy template provided in [GitHub's documentation](https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise).
3. Attach a policy to the role that allows `s3:PutObject` on your bucket:

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGitHubAuditLogPutObject",
      "Effect": "Allow",
      "Action": ["s3:PutObject"],
      "Resource": "arn:aws:s3:::<YOUR_BUCKET_NAME>/*"
    }
  ]
}
```

4. Replace `<YOUR_BUCKET_NAME>` with the bucket you created. Save the **Role ARN**. You will need it when configuring GitHub.
   {% endtab %}

{% tab title="Access keys" %}

1. Create an IAM user dedicated to this integration (for example, `github-audit-log-streaming`).
2. Attach a policy to the user that allows `s3:PutObject` on your bucket:

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGitHubAuditLogPutObject",
      "Effect": "Allow",
      "Action": ["s3:PutObject"],
      "Resource": "arn:aws:s3:::<YOUR_BUCKET_NAME>/*"
    }
  ]
}
```

3. Replace `<YOUR_BUCKET_NAME>` with the bucket you created.&#x20;
4. Generate an **Access Key ID** and **Secret Access Key** for the user. Store both securely. You will need them when configuring GitHub.
   {% endtab %}
   {% endtabs %}

#### **Configure audit log streaming in GitHub**

For detailed vendor instructions, refer to [Streaming the audit log for your enterprise](https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise).

1. Sign in to GitHub as an enterprise owner and navigate to your enterprise.
2. On the top menu bar, click **Settings**.
3. In the left sidebar, click **Audit log**, then click **Log streaming**.
4. Click **Configure stream** and select **Amazon S3**.
5. Configure the connection:
   * **Bucket**: your S3 bucket name (for example, `radiant-github-audit-logs`)
   * **Region**: the AWS region where your bucket is located
   * **Authentication**:
     * If using OpenID Connect, select **OpenID Connect** and enter the **Role ARN** from Step 1.
     * If using access keys, select **Access keys** and enter the **Access Key ID** and **Secret Access Key** from Step 1.
6. Click **Check endpoint** to verify GitHub can connect and write to the bucket.
7. Once the check succeeds, click **Save**.

#### **Confirm logs are arriving**

Wait a few minutes, then open your S3 bucket. You should see GitHub-written objects with names ending in `.json.log.gz` accumulating in your bucket.

{% hint style="info" %}
If no objects appear within approximately 10 minutes, return to **Audit log** > **Log streaming** in GitHub and re-run **Check endpoint**.
{% endhint %}

#### **Note your configuration details**

Save the following information. You will need it for the next steps.

* S3 bucket name
* S3 bucket path or prefix (for GitHub Enterprise this is typically the bucket root, unless you scoped the role to a sub-prefix)
* AWS region where your bucket is located

### Configure S3 and add the data connector in Radiant Security

Now that GitHub is writing audit logs to your S3 bucket, complete the setup by following the [Configure Amazon S3 to forward logs to Radiant Security](/radiant-connectors/data-connectors/configure-amazon-s3-to-forward-logs-to-radiant-security.md) guide. That guide walks through:

1. Configuring the bucket policy and creating an SNS topic.
2. Adding the **Amazon Web Services S3** data connector in Radiant Security.
3. Configuring S3 event notifications so new objects trigger ingestion.

When working through that guide, use the following GitHub-specific values:

* **Data feed**: select **GitHub Enterprise**.
* **Expected file extension**: `.json.log.gz`. Logs written by GitHub already match this format.
* **Event notification prefix**: match the location where GitHub is writing in your bucket. For most GitHub Enterprise configurations this is the bucket root, unless you scoped the IAM role or access key to a sub-prefix.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/github-enterprise.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.