Overview
Pensero connects to your GitHub organization to understand how engineering work actually gets delivered.
We read metadata from Pull Requests and linked issues, not source code. This allows Pensero to reconstruct real units of work, understand collaboration and effort, and surface delivery signals that are consistent across individuals, teams, and leadership.
Setup is handled by an administrator from the Integrations section and takes only a few minutes.
What Pensero Reads from GitHub
Pensero reads metadata only. We never store or inspect your source code.
From each Pull Request, Pensero captures:
PR title and number
State (open, draft, merged, closed)
Description and references
Key timestamps (created, first comment, approval, merge)
Author and reviewers
Source and target branches
Linked tickets or issues
Diff metrics (files changed, lines added or removed, summary only)
This information gives context on what was delivered, how complex it was, and how work flowed through reviews, without exposing code.
Permissions Required
To function correctly, Pensero requests the following GitHub OAuth permissions:
Scope | What it does |
| Read access to repositories (PRs, issues, commits, branches) |
| Read access to GitHub projects |
| Read access to user profile |
| Read access to organization and team information |
Important: Pensero only reads. It never writes.
Even though GitHub's repo scope technically allows write access, Pensero does not use it. GitHub does not offer a more limited scope for reading Pull Request data via OAuth. This is a GitHub platform limitation, not a choice on our side. We request the minimum permissions GitHub allows to do what we need.
These permissions let Pensero understand how your team collaborates and delivers, such as PR review activity, comments, and cycle times. Pensero does not modify your code, repositories, or any GitHub content.
Self-service vs. Enterprise
For self-service onboarding, Pensero uses GitHub OAuth. If you are on the Enterprise tier and prefer a more controlled integration, we also support a GitHub App setup. This gives your team more granular control over which repositories Pensero can access. Talk to your account team if you want to go that route after your initial setup.
What Pensero Derives from GitHub
Using GitHub metadata, Pensero derives workflow signals such as:
Time to First Comment
Time to Approve
Time to Merge
Diff summaries used for code understanding
These signals help you spot review bottlenecks, approval delays, and structural slowdowns, using real delivery data.
How Pensero Organizes Work
GitHub activity is never analyzed in isolation.
Pensero assembles work into structured units:
Items: individual PRs or issues
Chunks: related work from a single contributor
Superchunks: shared delivery packages involving multiple contributors
This structure reflects how work actually happens across people and tools, ensuring delivery insights scale from individuals to teams and the company.
How to Connect GitHub
First-Time Setup
Step 1 - Go to Integrations
From the left sidebar, open Integrations in Pensero.
Step 2 - Complete Giuthub Authentication
Find GitHub in the list and click Connect.
You must be a GitHub Organization Owner to complete the installation.
Step 3 - Grant Permissions
Follow GitHub’s OAuth prompts and grant the required permissions.
Step 4 - Select Repositories
Choose which repositories Pensero should analyze.
You can update this selection anytime from the GitHub integration settings.
Adding New Repositories Later
Go to Integrations
Click Manage GitHub
Select additional repositories to connect
New repositories will be ingested during the next sync.
Troubleshooting
OAuth “Grant Access” stuck with infinite spinner
This typically occurs when SAML SSO is enabled in your GitHub organization.
To resolve:
Ensure you are logged in with an active SAML session.
Visit:
(Replace {yourOrgName} with your actual org name.)
Reattempt installation.
Why Forked Repositories May Not Be Visible
GitHub applies stricter security rules to repositories that are forks of external organizations.
Accessing a forked repo requires your Personal Access Token to be explicitly approved through SAML SSO.
To resolve:
Request access to the original (parent) organization.
Authorize Pensero’s GitHub OAuth token here:
Ask the parent organization owner to approve your request:
Think of the organization’s security policy as a border checkpoint:
Internal Travel (Accessing a regular private repo): When your token accesses a repository that was created inside your organization and has no external parents, it’s like traveling within the country’s borders. The security check is standard, and your token (with the right scopes) is allowed through.
International Travel (Accessing a forked repo): When your token tries to access a fork of an external repository, GitHub sees that this resource has a “foreign” connection to the parent organization. This is like trying to cross an international border. The original organization’s policy flags this action and says, “Wait, for any international travel, we require a special visa.”
In this analogy, the “special visa” is the SAML SSO authorization on your Personal Access Token. The policy is designed to prevent potential data leakage or unauthorized interactions with external entities, so it applies a stricter check on forked repositories.
Instructions for the User Who Added the GitHub Account to Pensero
The original organization’s security policy requires your Personal Access Token to be explicitly authorized via SAML Single Sign-On before it can be used to access repositories that are forked from external organizations.
Request access to the original organization: If your fork (
my_org/repository) has a parent path oforiginal_org/repository, you need to have access to theoriginal_orgorganization. Member access is sufficient.Request grant access for Pensero Git Repos OAuth: Once member access is granted, you need to request grant access for
Pensero Git Repos OAuthon behalf of your OAuth token. To do this, go to https://github.com/settings/connections/applications/Ov23liAtOAfOtnLhJypa. You will see a list of organizations that have access. Click on Grant to request access for theoriginal_org.Organization owner approval: The organization owner of
original_orgmust approve your request at this link:https://github.com/organizations/original_org/settings/oauth_application_policy(replaceoriginal_orgwith the actual parent fork organization name). They will see the request asPensero Git Repos OAuth.