Overview


About

GitHub Code Scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. When integrated with your Vulcan Platform, you'll be able to review code-project vulnerabilities on your assets, while leveraging the power of Vulcan Cyber discoverability and automation.


Prerequisites

To configure the connector, you need to perform the following first:

  1. Generate API Personal Access Token from GitHub with the following configurations and access scopes:

    • Expiration: No Expiration

    • repo:

      • repo:status

      • repo_deployment

      • public_repo

      • security_events

    • write:packages

      • read:packages

    • admin:org

      • read:org

    • admin:repo_hook

      • read:repo_hook

    • user

      • read:user

      • user:email

  2. Activate the "Code scanning alerts" security option in GitHub

Activate the "Code scanning alerts" security option in GitHub

On your GitHub, make sure the "Code Scanning alerts" security configuration is active:

Go to the relevant repo on GitHub > Security > activate the "Code scanning alerts" option.

Note: The activation is per repository.


Configure GitHub Code Scanning connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the GitHub Code Scanning icon.

  4. Enter the API Key as generated from your GitHub:

  5. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your GitHub instance, then click Create (or Save Changes).

  6. Allow some time for the sync to complete. You can review the sync status under Log.

  7. To confirm that the sync is complete, navigate to the Connectors tab to check the sync status. Once the GitHub Code Scanning icon shows Connected, the connection is complete.


From GitHub Code Scanning to the Vulcan Platform - Fields Mapping

Connector Fields Mapping

GitHub Code Scanning field

Vulcan field

Value Example

Repository Name

Asset name

-

Code Project

Asset type

-

Asset codebase - source

vulnerable-node-master.app.js:44

Asset codebase - location

vulnerable-node-master.app.js:44

About

Asset details

"Lab for the development of Dependababot and Code Scanning connectors"

Tags

Asset tags

Vulnerability title in GitHub

Vulnerability title

"Hard coded credentials"

Vulnerability description in GitHub

Vulnerability description

CWE tags in GitHub

Vulnerability CWE (unique Vulnerability details)

"CWE-259"

Vulnerability details in GitHub

Vulnerability details

Asset details on vulnerability ("i"):

The hard-coded value "ñasddfilhpaf78h78032h780g780fg780asg780dsbovncubuyvqy" is used as key.

Fix title in GitHub is NA

Fix tab > title

GitHub Code Scanning Recommendations for {vulnerability title}

Fix Recommendation + Example in GitHub +

Fix tab > Description

"Remove hard-coded credentials, such as user names, passwords, and certificates, from source code. Instead, place them in configuration files, environment variables, or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access."

References in GitHub

Fix tab > Reference

  • Common Weakness Enumeration: CWE-259.

  • Common Weakness Enumeration: CWE-321.

  • Common Weakness Enumeration: CWE-798.

Vulnerability Status Mapping

GitHub Code Scanning Status

Vulcan Status

Open

Vulnerable

NA

Fixed

Closed (false positive)

Ignored - false positive

Closed (won't fix)

Ignored - risk acknowledged

Closed (used in tests)

Ignored - risk acknowledged

Vulnerability Score Mapping

GitHub Code Scanning Score

Vulcan Score

Critical

10

High

7

Medium

5

Low

3

None

0

Error

Not relevant - only security findings are pulled

Warning

Not relevant - only security findings are pulled

Note

Not relevant - only security findings are pulled


Locate GitHub Code Scanning vulnerabilities in the Vulcan Platform

As GitHub discovers vulnerabilities, the Vulcan Platform connector imports those vulnerabilities for reporting and action. With a large number of assets and potential vulnerabilities discovering specific vulnerabilities via source is made easy with filters.

  1. Go to Vulnerabilities.

  2. Click on the "Search or filter vulnerabilities" search box.

  3. Scroll and select the Vulnerability Source option.

  4. Locate GitHub Code Scanning on the vulnerability source list and click to filter results.

  5. Click on any vulnerability/CVE to view further information and potentially take action by clicking the Take Action drop-down.


Locate GitHub Code Projects assets in the Vulcan Platform

  1. Go to Assets > Code Projects tab.

  2. Click on the Search or filter codeProjects input box and select Connector from the drop-down selection.

  3. Scroll to select the GitHub Code Scanning option and view the results.


Automating GitHub Code Scanning vulnerability remediation actions in the Vulcan Platform

Large environments quickly become unmanageable if constant manual attention and action are necessary to remediate vulnerabilities. Take advantage of the automation capabilities of Vulcan Cyber and the GitHub Code Scanning connector.

Learn how to create automation



Did this answer your question?