Configure the GitHub Application Vulnerability Integration

Release version: Xanadu

Updated August 1, 2024

3 minutes to read

Before you run the integration on your instance, the installation and configuration steps must be completed so the GitHub product properly integrates with Application Vulnerability Response. This application is available as a separate subscription.

Before you begin

Roles required:

App-Sec Manager user group
sn_vul.app_sec_manager required for OAuth set up

Procedure

Navigate to All > Github Vulnerability Integration > Configuration.
Choose Basic Authentication or OAuth for Authentication type.
- Basic authentication requires a MID Server for on-premise instances. Generate the API token required for Basic authentication from your GitHub account.
- OAuth requires the OAuth App, credential, and connection setup described in Creating OAuth 2.0 credentials for GitHub Apps - JWT for the GitHub Application Vulnerability Integration.

Fill in the fields based on the type you choose.

Basic Authentication

Table 1.
Field	Description
API URL	The appropriate GitHub API URL for Enterprise or on-premise. The default URL is https://api.github.com. On-premise is your GitHub endpoint URL.
API Token	Token you generated from your GitHub console.
API Type	Choose one: Organization Choose this option if you want to import data for a specific organization by name. The GitHub environment supports multiple organizations. Each organization can support multiple repositories. If you enter an organization, only data from that organization is imported. Enterprise The Enterprise environment supports multiple organizations. Choose this option if you want to import vulnerability data from all the organizations in your Enterprise (Cloud) environment.
Organisation Name	Name of your GitHub Repository. Only data from the organization you enter is imported.
MID Server	For on-premise instances for Basic Authentication, a MID Server is required.
Select options to manage Exception management and False positives.	Select options to manage Exception management and False positive for applications vulnerable items (AVIs) with ServiceNow workflows automatically upon import. Manage exceptions in ServiceNow Leave this option activated if you want to triage imported AVIs marked for the Deferred state. AVIs with Source states that normally are mapped to a Deferred state in your instance are instead mapped to Open. You Request an exception from the AVI record. Manage false positives in ServiceNow Leave this option activated if you want to triage imported AVIs with Source states marked as False Positive or Potential False Positive. AVIs with these Source states that normally are mapped to a Closed state in your instance are mapped to Open. You request a False positive from the AVI record. Deactivate one or both check boxes if you want to preserve the Source states imported from your scanner. If deactivated, the Request exception and False Positive actions are not visible on AVIs.
Integration Instance	Instance into which you are importing data.

OAuth

Table 2.
Field	Description
API URL	The appropriate GitHub API URL for Enterprise or on-premise. The default URL is https://api.github.com. On-premise is your GitHub endpoint URL.
Connection	The connection you created described in Creating OAuth 2.0 credentials for GitHub Apps - JWT for the GitHub Application Vulnerability Integration.
API Type	Choose one: Organization Choose this option if you want to import data for a specific organization by name. The GitHub environment supports multiple organizations. Each organization can support multiple repositories. If you enter an organization, only data from that organization is imported. Enterprise The Enterprise environment supports multiple organizations. Choose this option if you want to import vulnerability data from all the organizations in your Enterprise (Cloud) environment. Note: GitHub Apps do not support Enterprise-level APIs.
Organisation Name	Organization name for your GitHub repositories. Only data from the repositories in the organization you enter is imported.
Select options to manage Exception management and False positives.	Select options to manage Exception management and False positive for applications vulnerable items (AVIs) with ServiceNow workflows automatically upon import. Manage exceptions in ServiceNow Leave this option activated if you want to triage imported AVIs marked for the Deferred state. AVIs with Source states that normally are mapped to a Deferred state in your instance are instead mapped to Open. You Request an exception from the AVI record. Manage false positives in ServiceNow Leave this option activated if you want to triage imported AVIs with Source states marked as False Positive or Potential False Positive. AVIs with these Source states that normally are mapped to a Closed state in your instance are mapped to Open. You request a False positive from the AVI record. Deactivate one or both check boxes if you want to preserve the Source states imported from your scanner. If deactivated, the Request exception and False Positive actions are not visible on AVIs.

Select Save and Test credentials.
Run the GitHub Repos Integration before running the other integrations.
The other GitHub integrations depend on current application data imported from the Repos Integration. Data from the Repos Integration is stored in the Discovered Applications [sn_vul_app_release] table. See View the GitHub Application Vulnerability Integration import run status and imported repository data for more information.