Skip to main content
Applies to BloodHound Enterprise and CE This page covers configuring the OpenHound GitHub collector for your GitHub organization or enterprise account. Use this page to choose an authentication method and configure the collector settings in the secrets.toml file or environment variables.

Prerequisites

The OpenHound setup instructions for BloodHound Community Edition also apply to BloodHound Enterprise users, for now.

Configure OpenHound

The GitHub collector needs different settings based on the authentication method you choose. You can set those values in one of two places:
MethodSet the values here
secrets.toml file[sources.source.github.credentials] section
Environment variablesSOURCES__SOURCE__GITHUB__CREDENTIALS
Click the tab that matches your authentication setup for details and example configurations.
Use this option when you need enterprise-scoped collection.
SettingDescriptionEnvironment Variable
client_idThe GitHub App Client ID used to authenticate to the GitHub API.SOURCES__SOURCE__GITHUB__CREDENTIALS__CLIENT_ID
app_idThe GitHub App ID used to authenticate to the GitHub API.SOURCES__SOURCE__GITHUB__CREDENTIALS__APP_ID
key_pathThe path to the GitHub App private key file.SOURCES__SOURCE__GITHUB__CREDENTIALS__KEY_PATH
enterprise_nameThe slug of the GitHub enterprise to collect data from.SOURCES__SOURCE__GITHUB__CREDENTIALS__ENTERPRISE_NAME
api_uriThe GitHub API base URI. For GitHub.com, use https://api.github.com.SOURCES__SOURCE__GITHUB__CREDENTIALS__API_URI
secrets.toml
secrets.toml
[sources.source.github.credentials]
client_id = "your-client-id"
app_id = "your-app-id"
key_path = "/path/to/private/key.pem"
enterprise_name = "your-enterprise-slug"
api_uri = "https://api.github.com"
Environment variables
SOURCES__SOURCE__GITHUB__CREDENTIALS__CLIENT_ID=your-client-id
SOURCES__SOURCE__GITHUB__CREDENTIALS__APP_ID=your-app-id
SOURCES__SOURCE__GITHUB__CREDENTIALS__KEY_PATH=/path/to/private/key.pem
SOURCES__SOURCE__GITHUB__CREDENTIALS__ENTERPRISE_NAME=your-enterprise-slug
SOURCES__SOURCE__GITHUB__CREDENTIALS__API_URI=https://api.github.com

Running OpenHound and Collecting Data

After you set the required configuration parameters, run OpenHound to start the collector and collect data from your . The collector will generate JSON files in the output directory that can be uploaded to BloodHound for analysis.
Large GitHub organizations or enterprises can trigger GitHub’s API rate limits during collection. If you see failed or retried requests, tune the HTTP request parameters to ride out rate limits instead of failing the run.