Documentation

Run Arbor like a security gate, not a toy reviewer.

This guide covers the AppSec workflow: installing the GitHub App, reading evidence packets, tuning policy, wiring branch protection, and handling unknown graph evidence honestly.

Quickstart

From install to first PR evidence.

Install the app

Install Arbor on the repositories you want monitored. Arbor needs code and PR read access, plus permission to post comments and commit statuses.

Open a PR

When you open a PR, Arbor analyzes the changed code and checks which security-sensitive operations it can reach. The analysis runs automatically in under 15 seconds.

Read the evidence

The PR comment shows reachable call paths, sensitive surfaces, required proof, and limitations. It should explain why the verdict exists.

Turn on enforcement

Start in monitor mode, move to review-required mode, then block only when your team trusts the policy and branch protection is wired.

Rollout

Recommended launch sequence.

Start by observing, not blocking. A security gate earns trust when reviewers can see that the findings match their own mental model.

When

Mode

What to do

Day 1

Monitor only

Install Arbor on one active repo. Do not block merges. Compare findings with what reviewers already discuss.

Days 2-4

Review required

Require security-owner review when auth, payment, PII, secrets, DB, or shell paths are reachable.

Week 2

Selective blocking

Block only critical reachable paths where proof is missing. Keep unknown confidence as review-required.

Week 3+

Audit trail

Export evidence for security review, SOC2 controls, and post-incident review.

Evidence Packet

What Arbor stores and posts.

Every PR analysis normalizes into an evidence packet. The UI can render partial packets; missing evidence should become a visible limitation.

SecurityEvidencePacketJSON

{
  "verdict": "review_required",
  "confidence": 0.82,
  "summary": "Payment path reachable from POST /checkout",
  "changedSecuritySurfaces": ["src/billing/charge.ts"],
  "reachableEntrypoints": ["POST /checkout"],
  "sensitiveCapabilities": ["payment", "db"],
  "callPaths": [
    {
      "entrypoint": "POST /checkout",
      "sink": "db.execute",
      "risk": "critical",
      "nodes": [
        "route.ts:POST",
        "validateRequest",
        "processCharge",
        "db.execute"
      ]
    }
  ],
  "requiredProof": [
    "Security owner approval",
    "Checkout integration test in staging",
    "Manual review of dynamic SQL builder path"
  ],
  "limitations": [
    "Dynamic import in billing adapter was not fully resolved"
  ]
}

Policy Modes

Choose the merge behavior deliberately.

Mode

Commit status

Use when

Monitor

Success

Post evidence without failing branch protection. Best for first rollout.

Review required

Failure for review/gate

Fail when Arbor needs human proof before merge.

Block

Failure for gate

Fail only when critical reachable paths are missing required proof.

Disabled

Skipped

No security status. Use only if another gate owns this workflow.

Branch Protection

Make the GitHub status enforceable.

1. Enable Arbor policy for the repo in the dashboard.

2. In GitHub, open Settings -> Branches -> Branch protection rules.

3. Add arbor/security as a required status check.

4. Start with Review Required mode. Move to Block mode only after one week of clean signal.

Configuration

Teach Arbor your local architecture.

The default classifier looks for common auth, payment, secrets, DB, network, filesystem, shell, and validation patterns. Use repo config to make the graph match your actual system.

.arbor/security.ymlYAML

# .arbor/security.yml
security:
  enabled: true
  mode: review
  block_critical_reachable: true
  require_security_owner: true
  require_integration_tests: true
  treat_unknown_as_review: true

  sensitive_paths:
    - pattern: "src/auth/**"
      category: auth
    - pattern: "src/billing/**"
      category: payment
    - pattern: "src/db/**"
      category: database
    - pattern: "src/workers/**"
      category: network

  sensitive_symbols:
    - verify_admin
    - process_payment
    - execute_raw_sql
    - decrypt_token

  owner_handles:
    - "@security-team"
    - "@payments-owner"

  ignore:
    - "test/**"
    - "vendor/**"
    - "**/*.test.ts"
    - "**/*.generated.*"

Surface

Examples

Default risk

auth

JWT, OAuth, login, session, password reset

Critical

payment

Checkout, billing, subscriptions, invoices

Critical

secrets

Keys, tokens, credentials, vault access

Critical

crypto

Encrypt, decrypt, signing, HMAC, TLS

Critical

database

Raw SQL, migrations, ORM writes, transactions

High

pii

Customer profile, email, address, account data

High

network

Webhooks, HTTP clients, CORS, proxies

Medium

filesystem

Upload, download, path joins, streams

Medium

shell

Command execution and process spawning

Critical

validation

Sanitizers, parsers, schema validation

Medium

Limitations

What Arbor should not overclaim.

Arbor is reachability and structural evidence. It is not a claim that every vulnerability has been found.
Dynamic imports, reflection, service locators, generated code, and runtime dependency injection can create unknown edges.
Macro-heavy, template-heavy, or generated source may parse partially depending on the language grammar.
A reachable path is not the same as tainted dataflow. Treat it as security review prioritization and merge proof.
If Arbor cannot resolve enough evidence, the correct behavior is review-required, not a silent pass.

Troubleshooting

Common launch issues.

Issue

Fix

No PR comment appears

Check GitHub App installation, webhook delivery logs, and whether the repo is included in the installation.

Status links feel wrong

Use the dashboard analysis page from the PR comment. Branch protection should require arbor/security.

Too many review-required results

Start by narrowing sensitivePathGlobs and ownerHandles. Keep unknown confidence visible while tuning.

A path looks missing

Add explicit sensitive path and symbol rules in .arbor/security.yml so Arbor can classify your local architecture.

Private repo says free plan

Upgrade the billing plan or move that repo into the allowed Team/Business entitlement.

API

Current integration surface.

Arbor is currently driven by GitHub App webhooks and authenticated dashboard proxy routes. Public API access is planned for teams that want to query reachability from CI, security tooling, and internal developer platforms.

PlannedPOST /reachability

Submit a repo, commit, and security sink. Receive reachable status, call path, limitations, and suggested proof.

{ "verdict": "review_required", "confidence": 0.82, "summary": "Payment path reachable from POST /checkout", "changedSecuritySurfaces": ["src/billing/charge.ts"], "reachableEntrypoints": ["POST /checkout"], "sensitiveCapabilities": ["payment", "db"], "callPaths": [ { "entrypoint": "POST /checkout", "sink": "db.execute", "risk": "critical", "nodes": [ "route.ts:POST", "validateRequest", "processCharge", "db.execute" ] } ], "requiredProof": [ "Security owner approval", "Checkout integration test in staging", "Manual review of dynamic SQL builder path" ], "limitations": [ "Dynamic import in billing adapter was not fully resolved" ] }

# .arbor/security.yml security: enabled: true mode: review block_critical_reachable: true require_security_owner: true require_integration_tests: true treat_unknown_as_review: true sensitive_paths: - pattern: "src/auth/**" category: auth - pattern: "src/billing/**" category: payment - pattern: "src/db/**" category: database - pattern: "src/workers/**" category: network sensitive_symbols: - verify_admin - process_payment - execute_raw_sql - decrypt_token owner_handles: - "@security-team" - "@payments-owner" ignore: - "test/**" - "vendor/**" - "**/*.test.ts" - "**/*.generated.*"