Am I reading the right user guide?
Certain connectors have more than one user guide. It depends on the environment's setup and on the connector's available releases (new vs. older revisions).
To access the user guide that is relevant to your environment, simply click on the "How to connect" button located on the connector's setup page. By doing so, you will be directed to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.
About
GitHub Dependabot provides automated dependency updates built into GitHub. When integrated with your Vulcan Platform, you'll be able to review code-project vulnerabilities on your assets, while leveraging the power of Vulcan Cyber discoverability and automation.
Prerequisites
To configure the connector, you need to perform the following first:
Generate API Personal Access Token from GitHub with the following configurations and access scopes:
Repo: all
read:packages
read:org
read:public_key
read:repo_hook
read:user
user:email
Activate the "Dependabot alerts" security option in GitHub
On your GitHub, make sure the "Dependabot alerts" security configuration is active:
Go to the relevant repo on GitHub > Security > activate the "Dependabot alerts" option.
Note: The activation is per repository.
Configure GitHub Dependabot connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the GitHub Dependabot icon.
Enter the API Key as generated from your GitHub:
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your GitHub instance, then click Create (or Save Changes).
Allow some time for the sync to complete. You can review the sync status under Log.
To confirm that the sync is complete, navigate to the Connectors tab to check the sync status. Once the GitHub Dependabot icon shows Connected, the connection is complete.
From GitHub Dependabot to the Vulcan Platform - Fields Mapping
Connector Fields Mapping
GitHub Dependabot field | Vulcan field | Value Example |
Repository Name | Asset Name | - |
Code Project | Asset Type | - |
Dependency | Asset Library > Name | qs, morgan, debug |
Version | Asset codebase > Version | 1.6.1 |
About | Asset details | - |
Tags | Asset Tags | - |
Dependency > Details > Title | Vulnerability title | CVE-2019-5413 |
The description under the vulnerability "Details" | Vulnerability description | "Versions of |
Details > All info including description and recommendation (the title of the vulnerability is excluded)  | Vulnerability details | Vulnerable versions: Patched version: |
Vulnerability status  | Vulnerability status | Open, Closed |
NA | Fix tab > Title | Update {Dependency_Name} - {Dependency_Version} |
NA | Fix tab > Description |
|
NA | Fix tab > Reference |
|
Vulnerability Status Mapping
GitHub Dependabot Status | Vulcan Status |
Open | Vulnerable |
Closed | Fixed |
Closed (false positive) | Ignored - false positive |
Closed (won't fix) | Ignored - risk acknowledged |
Vulnerability Score Mapping
GitHub Dependabot Score | Vulcan Score |
Critical | 10 |
High | 7 |
Moderate | 5 |
Low | 3 |
Locate GitHub Dependabot vulnerabilities in the Vulcan Platform
As GitHub discovers vulnerabilities, the Vulcan Platform connector imports those vulnerabilities for reporting and action. With a large number of assets and potential vulnerabilities discovering specific vulnerabilities via source is made easy with filters.
Go to Vulnerabilities.
Click on the "Search or filter vulnerabilities" search box.
Scroll and select the Vulnerability Source option.
Locate GitHub Dependabot on the vulnerability source list and click to filter results.
Click on any vulnerability/CVE to view further information and potentially take action by clicking the Take Action drop-down.
Locate GitHub code project assets in the Vulcan Platform
Go to Assets > Code Projects tab.
Click on the Search or filter codeProjects input box and select Connector from the drop-down selection.
Scroll to select the GitHub Dependabot option and view the results.
Automating GitHub Dependabot vulnerability remediation actions in the Vulcan Platform
Large environments quickly become unmanageable if constant manual attention and action are necessary to remediate vulnerabilities. Take advantage of the automation capabilities of Vulcan Cyber and the GitHub Dependabot connector.