Overview


About

GitHub Dependabot provides automated dependency updates built into GitHub. When integrated with your Vulcan Platform, you'll be able to review code-project vulnerabilities on your assets, while leveraging the power of Vulcan Cyber discoverability and automation.


Prerequisites

To configure the connector, you need to perform the following first:

  1. Generate API Personal Access Token from GitHub with the following configurations and access scopes:

    • Expiration: No Expiration

    • repo:

      • repo:status

      • repo_deployment

      • public_repo

      • security_events

    • write:packages

      • read:packages

    • admin:org

      • read:org

    • admin:repo_hook

      • read:repo_hook

    • user

      • read:user

      • user:email

  2. Activate the "Dependabot alerts" security option in GitHub

Activate the "Dependabot alerts" security option in GitHub

On your GitHub, make sure the "Dependabot alerts" security configuration is active:

Go to the relevant repo on GitHub > Security > activate the "Dependabot alerts" option.

Note: The activation is per repository.


Configure GitHub Dependabot connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the GitHub Dependabot icon.

  4. Enter the API Key as generated from your GitHub:

  5. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your GitHub instance, then click Create (or Save Changes).

  6. Allow some time for the sync to complete. You can review the sync status under Log.

  7. To confirm that the sync is complete, navigate to the Connectors tab to check the sync status. Once the GitHub Dependabot icon shows Connected, the connection is complete.


From GitHub Dependabot to the Vulcan Platform - Fields Mapping

Connector Fields Mapping

GitHub Dependabot field

Vulcan field

Value Example

Repository Name

Asset Name

-

Code Project

Asset Type

-

Dependency

Asset Library > Name

qs, morgan, debug

Version

Asset codebase > Version

1.6.1

About

Asset details

-

Tags

Asset Tags

-

Dependency > Details > Title

Vulnerability title

CVE-2019-5413

The description under the vulnerability "Details"

Vulnerability description

"Versions of morgan before 1.9.1 are vulnerable to code injection when user input is allowed into the filter or combined with a prototype pollution attack."

Details > All info including description and recommendation (the title of the vulnerability is excluded)

Vulnerability details

Vulnerable versions: < 1.9.1

Patched version: 1.9.1

Vulnerability status

Vulnerability status

Open, Closed

NA

Fix tab > Title

Update {Dependency_Name} - {Dependency_Version}

NA

Fix tab > Description

NA

Fix tab > Reference

Vulnerability Status Mapping

GitHub Dependabot Status

Vulcan Status

Open

Vulnerable

Closed

Fixed

Closed (false positive)

Ignored - false positive

Closed (won't fix)

Ignored - risk acknowledged

Vulnerability Score Mapping

GitHub Dependabot Score

Vulcan Score

Critical

10

High

7

Moderate

5

Low

3


Locate GitHub Dependabot vulnerabilities in the Vulcan Platform

As GitHub discovers vulnerabilities, the Vulcan Platform connector imports those vulnerabilities for reporting and action. With a large number of assets and potential vulnerabilities discovering specific vulnerabilities via source is made easy with filters.

  1. Go to Vulnerabilities.

  2. Click on the "Search or filter vulnerabilities" search box.

  3. Scroll and select the Vulnerability Source option.

  4. Locate GitHub Dependabot on the vulnerability source list and click to filter results.

  5. Click on any vulnerability/CVE to view further information and potentially take action by clicking the Take Action drop-down.


Locate GitHub code project assets in the Vulcan Platform

  1. Go to Assets > Code Projects tab.

  2. Click on the Search or filter codeProjects input box and select Connector from the drop-down selection.

  3. Scroll to select the GitHub Dependabot option and view the results.


Automating GitHub Dependabot vulnerability remediation actions in the Vulcan Platform

Large environments quickly become unmanageable if constant manual attention and action are necessary to remediate vulnerabilities. Take advantage of the automation capabilities of Vulcan Cyber and the GitHub Dependabot connector.

Learn how to create automation

Did this answer your question?