Am I reading the right user guide?
Am I reading the right user guide?
Certain connectors have more than one user guide. It depends on the environment's setup and on the connector's available releases (new vs. older revisions).
To access the user guide that is relevant to your environment, simply click on the "How to connect" button located on the connector's setup page. By doing so, you will be directed to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.
Overview
About GitHub Dependabot
GitHub Dependabot provides automated dependency updates built into GitHub.
Why integrating GitHub Dependabot into the Vulcan platform?
The GitHub Dependabot Connector by Vulcan integrates with the GitHub Dependabot platform to pull and ingest Code Prokect-type assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
GitHub Dependabot Connector details
Supported products | |
Category | Application Security - SCA |
Ingested asset type(s) | Code Projects |
Integration type | UNI directional (data is transferred from GitHub Dependabot to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the connector, make sure you have the following:
The integration user must be a member of the organization. External collaborator users are not supported.
Generating GitHub Dependabot API Token
Go to your GitHub Dependabot console > Account > Settings.
Click on Developer Settings > Personal Access Token
Click on "Generate new token"
Fill in the name and expiration date (recommended: se to "No expiration"
Check to enable the following permissions ("Scopes"):
repo (all permissions)
read:packages
read:org
read:public_key
read:repo_hook
read:user
user:email
Click on Generate Token.
Note: To fetch all of the assets, including their tags and vulnerabilities, the Vulcan Platform requires read-only permissions, including the read:hook.
Configuring the GitHub Dependabot Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the GitHub Dependabot icon.
Set up the connector as follows:
Enter the API Token generated earlier.
Click on Load Organization to select the organization you want to pull data from.
Optional: Check the "Pull personal repositories from Github for Dependabot" option.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your GitHub Dependabot instance, then click Create (or Save Changes).
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log.
To confirm the sync is complete, navigate to the Connectors tab to check the sync status. Once the GitHub Dependabot icon shows Connected, the connection is complete.
GitHub Dependabot in the Vulcan Platform
Locating GitHub Dependabot vulnerabilities in the Vulcan Platform
As GitHub Dependabot discovers vulnerabilities, the Vulcan Platform Connector imports those vulnerabilities for reporting and action. You can view vulnerabilities via Connector by using the relevant filter:
Open the Vulcan Platform dashboard and navigate to the Vulnerabilities.
Click on the Search or filter vulnerabilities search box, scroll to the Vulnerability Source option, and click to filter by the vulnerability source.
Locate GitHub Dependabot on the vulnerability source/Connector list and click to filter results.
Click on any vulnerability to view further information.
Learn all about the Vulnerabilities page and Vulnerability Details here.
Locating GitHub Dependabot assets in the Vulcan Platform
To locate all retrieved Code Project assets from GitHub Dependabot:
Open the Vulcan Cyber dashboard and navigate to Assets.
Click on the Code Projects tab.
Click on the Search or filter CodeProjects input box and select Connector from the drop-down selection.
Locate the GitHub Dependabot option to view all synced assets.
Automating actions on vulnerabilities detected by GitHub Dependabot
Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. Take advantage of the automation capabilities of Vulcan Cyber and the GitHub Dependabot Connector.
Click here to learn how to create automation in the Vulcan Cyber Platform.
From GitHub Dependabot to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with GitHub Dependabot through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields. GitHub Dependabot data is mapped into Vulcan Code Projects. Each GitHub Dependabot report is mapped into a vulnerability instance in Vulcan.
Cope Projects mapping
GitHub Dependabot field | Vulcan field |
node.id | Uniqueness criteria |
node.name | Asset Name |
Code Project | Asset type |
node.securityVulnerability.package.name | Asset libraries - Name (SCA) |
node.vulnerableRequirements | Asset libraries - Version (SCA) |
node.name (from the tags calls) | Asset Tags - Vendor’s tags |
node.languages.nodes -> lang.name Organization Repository: {{ organization }} (if not private) Private Repository (if private) | Asset Tags - Additional |
active | Asset’s Status |
Now | Last report |
node.securityVulnerability.package.name node.vulnerableRequirements | Vulnerability instance uniqueness criteria |
node.createdAt | Vulnerability instance first seen |
node.securityVulnerability.advisory.summary node.securityVulnerability.advisory.description | Unique Vulnerability uniqueness criteria |
node.securityVulnerability.advisory.summary | Vulnerability title |
node.securityVulnerability.advisory.cvss.score | Vulnerability score |
node.securityVulnerability.advisory.description | Vulnerability description |
Vulnerable Version Range → node.securityVulnerability.vulnerableVersionRange
First Patched Version → node.securityVulnerability.firstPatchedVersion.identifier
Vector String → node.securityVulnerability.advisory.cvss.vectorString | Vulnerability details |
node.state | Vulnerability status |
node.securityVulnerability.advisory.cvss.score | CVSS |
node.securityVulnerability.advisory.identifiers → value | CVE/S |
node.securityVulnerability.advisory.cwes.edges → node.cweId | CWE |
id-> node.id dismissReason → node.dismissReason state → node.state | Vulnerability instance connection- additional information |
Fix From Github Dependabot For {{ node.securityVulnerability.advisory.summary }} | Fix - Title |
node.securityVulnerability.advisory.description (only the recommendation) | Fix - Description |
node.securityVulnerability.advisory.references → url | Fix - References |
Vulnerability status mapping
GitHub Dependabot Status | Vulcan Status |
Open | Vulnerable |
Fixed | Fixed |
- | Ignored - False Positive |
dismissed | Ignored - Risk Acknowledged |
Vulnerability score mapping
Score mapping is based on:
cvss_score node.securityVulnerability.advisory.cvss.score
GitHub Dependabot score | Vulcan score |
1-10 | 1-10 |
Update Mechanisms
Status update mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any were added).
The table below describes how the status update mechanism works in the GitHub Dependabot connector for the vulnerabilities and assets in the Vulcan Platform.
Update type | Mechanism |
Archiving Assets |
|
Change of vulnerability instances status from "Vulnerable" to "Fixed" |
|
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only when the next scheduled sync completes.
API Endpoint in use
repositories(first: $numOfRepos, after: $cursor)repository(name: $repoName)→vulnerabilityAlerts(first: $numOfVulns, after: $cursor)→securityVulnerabilityrepository(name: $repoName)→refs(refPrefix: refs/tags/, first: $numOfTags, after: $cursor)
Note: To fetch all of the assets, including their tags and vulnerabilities, the Vulcan Platform requires read-only permissions, including the read:hook.
Data Validation
Validating and Comparing Data between Dependabot Connector and Vulcan
Matching Assets Count
Note: The Dependabot connector configuration page allows the selection of organizations for data retrieval. Users can also ingest personal repositories.
Private Repos:
Confirm the number of private repositories ingested from Dependabot connector configuration.
Org Repos:
Verify the count of organization repositories ingested.
Sum of Private and Org Repos:
Confirm that the sum of private and organization repositories from Dependabot matches the assets count in Vulcan.
Matching Vulnerabilities Instances (Connections) Count
In Dependabot:
Click on a specific repository.
Navigate to the "Security" tab.
On the left menu, click on "Dependabot."
Confirm that the alerts count under the Dependabot tab matches the count in Vulcan.
Matching Unique Vulnerabilities Count
In Dependabot:
The unique vulnerabilities are retrieved from vulnerability instances.
Compare these by aggregating all instances.
Note that the unique identifier is based on the vulnerability title and description, considering potential differences in the description.
In Vulcan:
Confirm the count of unique vulnerabilities based on aggregated instances.
Ensure that the aggregator considers both title and description for uniqueness.
