GitHub Application Vulnerability Integration

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:8分

    • The GitHub Application Vulnerability Integration imports Static application security testing (SAST) and Software Composition Analysis (SCA) data to help you view vulnerability alerts in the repositories in your GitHub environment.

    GitHub Application Vulnerability Integration

    The GitHub Application Vulnerability Integration collects scanner data and makes that data available to the ServiceNow AI Platform®. It easily integrates with the ServiceNow® Application Vulnerability Response feature of Vulnerability Response to map third-party vulnerabilities and GitHub alerts in your instance.

    The GitHub environment supports multiple organizations. These organizations, both on-premise and Enterprise, might contain various departments, such as Engineering, Quality, Documentation, and so on. Each organization, in turn, can support multiple repositories. After you import your application data with the GitHub Repos Integration, you can import vulnerability and alert data from these repositories. Imported data is processed like an application in the Application Vulnerability Response application. When scanners detect vulnerabilities and generate alerts for the repositories, vulnerabilities are created in Application Vulnerability Response.

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Available versions

    Release version Release notes

    GitHub Application Vulnerability Integration v1.2, v1.1, 1.0

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

    GitHub integrations

    Integration Description
    GitHub Repos Integration Starting with v1.1, import all the application data for your GitHub on-premise and Cloud (Enterprise) accounts. The integration imports applications from the Repositories you have configured for an Organization (on-premise) or from your Enterprise (Cloud) environment.

    Run this integration before running the other GitHub integrations, because they depend on the current application data imported from the Repos Integration.
    GitHub CodeScan Integration Retrieves Code scanning vulnerability alerts from GitHub repositories for security vulnerabilities and coding errors. Imported data is mapped to SAST results in your instance.
    GitHub Dependabot Integration Retrieves Dependabot alerts for dependencies with known vulnerabilities from repositories. Imported data is mapped to SCA results in your instance.
    GitHub Secret Scanning Retrieves secrets from your organizations code along with the application security testing results. The data is mapped to SCA results in your instance.
    GitHub Secret Scanning Location Retrieves the location and line numbers for the scanned secrets in your organizations code to help your developers remediate.

    Uploading SBOM files to the ServiceNow AI Platform® from your GitHub repositories

    Determine if SBOM files generated in your CI/CD (continuous integration and continuous delivery/deployment) pipelines have been successfully queued in your ServiceNow AI Platform® instance.

    • Protect your environments from potentially harmful components during software development cycles with GitHub Actions that you initiate from your GitHub environment.
    • Obtain any required GitHub Actions for SBOM upload in the GitHub Marketplace.

    The SBOM applications are required to upload SBOM files. See Exploring Software Bill of Materials for more information.

    Viewing imported data

    Imported application data from the GitHub Repos Integration is displayed on the Discovered Applications [sn_vul_app_release] table. Run this integration first.

    The Repos Integration imports tags and topics you have configured for a repository in your GitHub account from the Settings menu. Any Custom properties are located on the menu under your Repository. Values you set for the properties are imported as key-value pairs. For more information on where to view this information in your instance, see View the GitHub Application Vulnerability Integration import run status and imported repository data.

    Imported data (findings) from the GitHub Dependabot Integration is displayed on the following tables.

    • Discovered Applications [sn_vul_app_release].
    • Application Vulnerability Scan Summaries [sn_vul_app_vul_scan_summary].
    • Application Vulnerable Items [sn_vul_app_vulnerable_item].
    • Packages [sn_vul_app_package].

    Imported data from the GitHub CodeScan Integration is displayed on the following tables.

    • Discovered Applications [sn_vul_app_release].
    • Application Vulnerability Scan Summaries [sn_vul_app_vul_scan_summary].
    • Application Vulnerability Entries [sn_vul_app_vul_entry].
    • Application Vulnerable Items [sn_vul_app_vulnerable_item].