GitHub Application Vulnerability Integration

  • Release version: Washingtondc
  • Updated July 24, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of GitHub Application Vulnerability Integration

    The GitHub Application Vulnerability Integration facilitates the import of Static Application Security Testing (SAST) and Software Composition Analysis (SCA) data, enabling users to view and manage vulnerability alerts from their GitHub repositories within ServiceNow. This integration works seamlessly with the Application Vulnerability Response feature to track third-party vulnerabilities and alerts.

    Show full answer Show less

    Key Features

    • Multi-Organization Support: Integrates with multiple organizations within GitHub, including on-premise and Enterprise setups.
    • Data Import: Imports application data, vulnerability alerts, and secrets from GitHub repositories into ServiceNow.
    • Integration Types:
      • GitHub Organisations Integration: Imports organizations into the Discovered Organizations table.
      • GitHub Repos Integration: Imports application data from repositories; this must be executed first.
      • GitHub CodeScan Integration: Retrieves vulnerability alerts related to code scanning.
      • GitHub Dependabot Integration: Fetches alerts for dependencies with known vulnerabilities.
      • GitHub Secret Scanning: Retrieves sensitive data and their locations in code.
    • SBOM Upload: Supports uploading Software Bill of Materials (SBOM) files from CI/CD pipelines to enhance security during development.

    Key Outcomes

    By utilizing the GitHub Application Vulnerability Integration, ServiceNow customers can effectively manage application vulnerabilities, ensure compliance, and enhance the security posture of their applications through real-time alerts and a centralized view of vulnerabilities. Imported data is organized across various tables for easy access and remediation efforts, ensuring that security teams can respond swiftly to identified risks.

    The GitHub Application Vulnerability Integration imports Static application security testing (SAST) and Software Composition Analysis (SCA) data to help you view vulnerability alerts in the repositories in your GitHub environment.

    GitHub Application Vulnerability Integration

    The GitHub Application Vulnerability Integration collects scanner data and makes that data available to the ServiceNow AI Platform®. It easily integrates with the ServiceNow® Application Vulnerability Response feature of Vulnerability Response to map third-party vulnerabilities and GitHub alerts in your instance.

    The GitHub environment supports multiple organizations. These organizations, both on-premise and Enterprise, might contain various departments, such as Engineering, Quality, Documentation, and so on. Each organization, in turn, can support multiple repositories. After you import your application data with the GitHub Repos Integration, you can import vulnerability and alert data from these repositories. Imported data is processed like an application in the Application Vulnerability Response application. When scanners detect vulnerabilities and generate alerts for the repositories, vulnerabilities are created in Application Vulnerability Response.

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Available versions

    Release version Release notes

    GitHub Application Vulnerability Integration v1.2, v1.1, 1.0

    		 Application Vulnerability Response release notes

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

    GitHub integrations

    Integration Description
    GitHubOrganisations Integration This integration imports the organisations that belong to a particular enterprise listed while configuring Github. All the organisations get populated into the “sn_vul_discovered_org“ (Discovered Organisations) table that’s introduced with this release.

    This integration supports the Enterprise-level APIs.
    GitHub Repos Integration Starting with v1.1, import all the application data for your GitHub on-premise and Cloud (Enterprise) accounts. The integration imports applications from the Repositories you have configured for an Organization (on-premise) or from your Enterprise (Cloud) environment.

    Run this integration before running the other GitHub integrations, because they depend on the current application data imported from the Repos Integration.
    GitHub CodeScan Integration Retrieves Code scanning vulnerability alerts from GitHub repositories for security vulnerabilities and coding errors. Imported data is mapped to SAST results in your instance.
    GitHub Dependabot Integration Retrieves Dependabot alerts for dependencies with known vulnerabilities from repositories. Imported data is mapped to SCA results in your instance.
    GitHub Secret Scanning Retrieves secrets from your organizations code along with the application security testing results. The data is mapped to SCA results in your instance.
    GitHub Secret Scanning Location Retrieves the location and line numbers for the scanned secrets in your organizations code to help your developers remediate.

    Uploading SBOM files to the ServiceNow AI Platform® from your GitHub repositories

    Determine if SBOM files generated in your CI/CD (continuous integration and continuous delivery/deployment) pipelines have been successfully queued in your ServiceNow AI Platform® instance.

    • Protect your environments from potentially harmful components during software development cycles with GitHub Actions that you initiate from your GitHub environment.
    • Obtain any required GitHub Actions for SBOM upload in the GitHub Marketplace.

    The SBOM applications are required to upload SBOM files. See Exploring Software Bill of Materials for more information.

    Viewing imported data

    Imported application data from the GitHub Repos Integration is displayed on the Discovered Applications [sn_vul_app_release] table. Run this integration first.

    The Repos Integration imports tags and topics you have configured for a repository in your GitHub account from the Settings menu. Any Custom properties are located on the menu under your Repository. Values you set for the properties are imported as key-value pairs. For more information on where to view this information in your instance, see View the GitHub Application Vulnerability Integration import run status and imported repository data.

    Imported data (findings) from the GitHub Dependabot Integration is displayed on the following tables.

    • Discovered Applications [sn_vul_app_release].
    • Application Vulnerability Scan Summaries [sn_vul_app_vul_scan_summary].
    • Application Vulnerable Items [sn_vul_app_vulnerable_item].
    • Packages [sn_vul_app_package].

    Imported data from the GitHub CodeScan Integration is displayed on the following tables.

    • Discovered Applications [sn_vul_app_release].
    • Application Vulnerability Scan Summaries [sn_vul_app_vul_scan_summary].
    • Application Vulnerability Entries [sn_vul_app_vul_entry].
    • Application Vulnerable Items [sn_vul_app_vulnerable_item].