Skip to main content
Fixes land as pull requests in your own Infrastructure-as-Code repository. To enable that, you install the Agent0 GitHub App on the repos you want fixes to land in. The only thing 0Labs stores is the installation id — tokens are minted per operation with a ~1-hour TTL.

Connect a repo

The flow originates in the app so we can tie the install to your tenant.
1

Start in the app

Go to Settings → Remediation repositories → Connect GitHub repo.
2

Pick repos on GitHub

You’re sent to GitHub’s native install screen for the Agent0 App. Choose the account/org and select the specific repositories you want fixes to land in.
3

You're returned to the app

GitHub redirects you back and the connection completes. The repo shows Connected, and posture fixes for your tenant now route as PRs into that repo.

Tier-1 vs Tier-2

Tier-1 — your repo, edit in place

When a misconfigured resource is already defined in your connected IaC repo, the agent edits the existing code in place and opens the fix PR into your repo. This is the default and the preferred path.

Tier-2 — managed fallback

When a resource isn’t yet codified in your repo, the agent import-bootstraps it into a 0Labs-managed remediation repo (adopting the live resource into IaC and correcting it) as a fallback, so coverage isn’t blocked on full IaC adoption.

Permissions (least privilege)

The App requests only what it needs to open a PR:
PermissionAccessWhy
ContentsWriteCreate a branch and commit the fix.
Pull requestsWriteOpen the fix PR.
MetadataReadMandatory baseline (repo metadata).
No Actions, no admin, no organization permissions.
Merge ≠ apply. We open the PR; your CI plans; your pipeline applies on merge. 0Labs never applies infrastructure changes.

Revoke anytime

Uninstall the App from your GitHub settings (Settings → Applications → Installed GitHub Apps). It’s instant and requires no involvement from 0Labs — tokens stop minting the moment the installation is removed.