Am I reading the right user guide?
Am I reading the right user guide?
Specific connectors have more than one user guide. It depends on the environment's setup and on the connector's available releases (new vs. previous revisions).
To access the user guide that is relevant to your environment, simply click on the "How to connect" button located on the connector's setup page. Doing so will direct you to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.
About
GitHub Code Scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. When integrated with your Vulcan Platform, you'll be able to review code-project vulnerabilities on your assets, while leveraging the power of Vulcan Cyber discoverability and automation.
Prerequisites
To configure the connector, you need to perform the following first:
Generate API Personal Access Token from GitHub with the following configurations and access scopes:
Expiration: No Expiration
repo:
repo:status
repo_deployment
public_repo
security_events
write:packages
read:packages
admin:org
read:org
admin:repo_hook
read:repo_hook
user
read:user
user:email
Activate the "Code scanning alerts" security option in GitHub
On your GitHub, make sure the "Code Scanning alerts" security configuration is active:
Go to the relevant repo on GitHub > Security > activate the "Code scanning alerts" option.
Note: The activation is per repository.
Configure GitHub Code Scanning connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the GitHub Code Scanning icon.
Enter the API Key as generated from your GitHub:
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your GitHub instance, then click Create (or Save Changes).
Allow some time for the sync to complete. You can review the sync status under Log.
To confirm that the sync is complete, navigate to the Connectors tab to check the sync status. Once the GitHub Code Scanning icon shows Connected, the connection is complete.
From GitHub Code Scanning to the Vulcan Platform - Fields Mapping
Connector Fields Mapping
GitHub Code Scanning field | Vulcan field | Value Example |
Repository Name | Asset name | - |
Code Project | Asset type | - |
| Asset codebase - source | vulnerable-node-master. |
| Asset codebase - location |
|
About | Asset details | "Lab for the development of Dependababot and Code Scanning connectors" |
Tags | Asset tags |
|
Vulnerability title in GitHub | Vulnerability title | "Hard coded credentials" |
Vulnerability description in GitHub | Vulnerability description |
|
CWE tags in GitHub  | Vulnerability CWE (unique Vulnerability details) | "CWE-259" |
Vulnerability details in GitHub | Vulnerability details | Asset details on vulnerability ("i"):
|
Fix title in GitHub is NA | Fix tab > title | GitHub Code Scanning Recommendations for {vulnerability title} |
Fix Recommendation + Example in GitHub + | Fix tab > Description | "Remove hard-coded credentials, such as user names, passwords, and certificates, from source code. Instead, place them in configuration files, environment variables, or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access." |
References in GitHub | Fix tab > Reference |
|
Vulnerability Status Mapping
GitHub Code Scanning Status | Vulcan Status |
Open | Vulnerable |
NA | Fixed |
Closed (false positive) | Ignored - false positive |
Closed (won't fix) | Ignored - risk acknowledged |
Closed (used in tests) | Ignored - risk acknowledged |
Vulnerability Score Mapping
GitHub Code Scanning Score | Vulcan Score |
Critical | 10 |
High | 7 |
Medium | 5 |
Low | 3 |
None | 0 |
Error | Not relevant - only security findings are pulled |
Warning | Not relevant - only security findings are pulled |
Note | Not relevant - only security findings are pulled |
Locate GitHub Code Scanning vulnerabilities in the Vulcan Platform
As GitHub discovers vulnerabilities, the Vulcan Platform connector imports those vulnerabilities for reporting and action. With a large number of assets and potential vulnerabilities discovering specific vulnerabilities via source is made easy with filters.
Go to Vulnerabilities.
Click on the "Search or filter vulnerabilities" search box.
Scroll and select the Vulnerability Source option.
Locate GitHub Code Scanning on the vulnerability source list and click to filter results.
Click on any vulnerability/CVE to view further information and potentially take action by clicking the Take Action drop-down.
Locate GitHub Code Projects assets in the Vulcan Platform
Go to Assets > Code Projects tab.
Click on the Search or filter codeProjects input box and select Connector from the drop-down selection.
Scroll to select the GitHub Code Scanning option and view the results.
Automating GitHub Code Scanning vulnerability remediation actions in the Vulcan Platform
Large environments quickly become unmanageable if constant manual attention and action are necessary to remediate vulnerabilities. Take advantage of the automation capabilities of Vulcan Cyber and the GitHub Code Scanning connector.