GitHub Application Vulnerability Integration
The GitHub Application Vulnerability Integration imports Static application security testing (SAST) and Software Composition Analysis (SCA) data to help you view vulnerability alerts in the repositories in your GitHub environment.
GitHub Application Vulnerability Integration
The GitHub Application Vulnerability Integration collects scanner data and makes that data available to the ServiceNow AI Platform®. It easily integrates with the ServiceNow® Application Vulnerability Response feature of Vulnerability Response to map third-party vulnerabilities and GitHub alerts in your instance.
The GitHub environment supports multiple organizations. These organizations, both on-premise and Enterprise, might contain various departments, such as Engineering, Quality, Documentation, and so on. Each organization, in turn, can support multiple repositories.
Generally, you should import organizational data first with the GitHub Organizations Integration and then import data for your repositories with the GitHub Repos Integration so that it imports the repository data for each organization. Running these integrations in this order of execution is not mandatory, however, because your environment might be set up differently.
After you import your application data with the GitHub Repos Integration, you can import vulnerability and alert data from these repositories. Imported data is processed like an application in the Application Vulnerability Response application. When scanners detect vulnerabilities and generate alerts for the repositories, vulnerabilities are created in Application Vulnerability Response.
There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.
Available versions
| Release version | Release notes |
|---|---|
|
GitHub Application Vulnerability Integration |
Note:
If you want to use a version of this application that is compatible with Unified Security Exposure Management (USEM), see Migrating from Vulnerability Response to Unified Security Exposure Management (USEM) for more information about USEM and the Unified Security Exposure Management migration. If you do not intend to upgrade to Unified Security Exposure Management, install a version that is lower than v30.x of this application and for upgrades to its supported third-party integration applications. For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes |
GitHub integrations
| Integration | Description and ServiceNow AI Platform® tables | Notes |
|---|---|---|
| GitHub Organizations Integration | Imports GitHub organization records from GitHub into the Discovered Organizations [sn_vul_discovered_org] table. |
If you want to run this integration using Enterprise mode to import data for all your organizations and repos in an enterprise environment, run this integration before running the other GitHub integrations, because they depend on current organizational data imported from this integration. If you want to import only refreshed metadata for your organizations and repos using Organization mode, you don't have to run this integration first. For more information about configuring the integrations, see Configure the GitHub Application Vulnerability Integration. |
| GitHub Repos Integration | Imports all the application data for your GitHub on-premise and Cloud (Enterprise) accounts into the Discovered Applications [sn_vul_app_release] table. | The integration imports applications from the repositories you have configured for an Organization (on-premise) or from your Enterprise (Cloud) environment. |
| GitHub CodeScan Integration | Imports Code scanning vulnerability alerts from GitHub repositories for security vulnerabilities and coding errors into the Discovered Applications [sn_vul_app_release], Application Vulnerability Entry [sn_vul_app_vul_entry], and Application Vulnerable Item [sn_vul_app_vulnerable_item] tables. | Imported data is mapped to SAST results in your instance. |
| GitHub Dependabot Integration | Imports Dependabot alerts for dependencies with known vulnerabilities from repositories into the Discovered Applications [sn_vul_app_release], Package [sn_vul_app_package], Application Vulnerability Entry [sn_vul_app_vul_entry], and Application Vulnerable Item [sn_vul_app_vulnerable_item] tables. | Imported data is mapped to SCA results in your instance. |
| GitHub Secret Scanning | Imports secrets from your organization's code along with the application security testing results into the Discovered Applications [sn_vul_app_release] and Application Vulnerability Entry [sn_vul_app_vul_entry], and Application Vulnerable Item [sn_vul_app_vulnerable_item] tables. | The system maps secrets to application vulnerable items (AVITs) with scan type secret and maps generic secrets to AVITs with scan type generic_secret. |
| GitHub Secret Scanning Location | Imports the location and line numbers for the scanned secrets in your organizations' code into the Application Vulnerable Item [sn_vul_app_vulnerable_item] table. | Helps your developers with vulnerability remediation. |
For more details about source fields and mapping in your instance, see Field mapping for the GitHub Application Vulnerability Integration Integrations.
Uploading SBOM files to the ServiceNow AI Platform® from your GitHub repositories
Determine if SBOM files generated in your CI/CD (continuous integration and continuous delivery/deployment) pipelines have been successfully queued in your ServiceNow AI Platform® instance.
- Protect your environments from potentially harmful components during software development cycles with GitHub Actions that you initiate from your GitHub environment.
- Obtain any required GitHub Actions for SBOM upload in the GitHub Marketplace.
The SBOM applications are required to upload SBOM files. See Exploring Software Bill of Materials for more information.
Viewing imported data
For more details about source fields and mapping in your instance, see Field mapping for the GitHub Application Vulnerability Integration Integrations.
The Repos Integration imports tags and topics you have configured for a repository in your GitHub account from the Settings menu. Any Custom properties are located on the menu under your Repository. Values you set for the properties are imported as key-value pairs. For more information on where to view this information in your instance, see View the GitHub Application Vulnerability Integration import run status and imported repository data.