Connect your GitHub repo
Your live site shows us symptoms; your repo shows us causes. Connecting it lets us scan your dependencies for known vulnerabilities and your code for leaked secrets — the two things most likely to hurt a shipped-fast app.
How to connect
On your app's Setup tab, click Connect GitHub repo. You'll be sent to GitHub to install the Tell Me When Down GitHub App — install it on just the one repository the app lives in (you can add more later). Back in the dashboard, pick the repo from the list and you're done. The first scan starts immediately.
Connecting a repo also counts as ownership verification, so if you haven't added the DNS record or meta tag, this covers it.
What access we get
- Read-only. Repository contents and metadata — nothing else. We can't push, open PRs, or change settings.
- Per-repository. You choose exactly which repos the app can see, and you can revoke it any time from GitHub's settings.
- Nothing is kept. Each scan fetches your code with a short-lived token, streams through it, and discards it. We store the findings, not your source.
What the scan looks for
- Vulnerable dependencies. Every pinned package in your lockfile is checked against the OSV.dev vulnerability database — the same data source your package manager's audit command uses, without you having to remember to run it.
- Leaked secrets. API keys, tokens, and credentials committed to the repo. If we find one, the finding comes with a warning to rotate it — deleting the file isn't enough once a secret has been in a commit.
- Your stack. We detect your frameworks and services (and things like cron configs), which makes findings and setup instructions specific to what you actually run.
How often it runs
Scans run on a schedule — daily on paid plans, weekly on the free plan — plus immediately when you first connect. Need one right now (say, right after fixing something)? Hit Scan now on the app page. There's a 10-minute cooldown between manual scans and a daily allowance that varies by plan, so the button is for "I just fixed it, check me" — the schedule handles the rest.
A scan that can't finish cleanly — the vulnerability database is unreachable, or a repo is too large to stream fully — reports what it found but never marks anything as resolved. A hiccup on our side will not quietly clear a real finding of yours.