Skip to main content
All CollectionsConnectorsApplication Security (SCA/SAST/DAST)
GitHub Dependabot Connector (new revision)
GitHub Dependabot Connector (new revision)

Learn all about integrating GitHub Dependabot into the Vulcan Platform

Updated over 9 months ago

Am I reading the right user guide?

Certain connectors have more than one user guide. It depends on the environment's setup and on the connector's available releases (new vs. older revisions).

To access the user guide that is relevant to your environment, simply click on the "How to connect" button located on the connector's setup page. By doing so, you will be directed to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.


Overview

About GitHub Dependabot

GitHub Dependabot provides automated dependency updates built into GitHub.

Why integrating GitHub Dependabot into the Vulcan platform?

The GitHub Dependabot Connector by Vulcan integrates with the GitHub Dependabot platform to pull and ingest Code Prokect-type assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

GitHub Dependabot Connector details

Supported products

Category

Application Security - SCA

Ingested asset type(s)

Code Projects

Integration type

UNI directional (data is transferred from GitHub Dependabot to the Vulcan Platform in one direction)

Supported version and type

SaaS (latest)


Connector Setup

Prerequisites and user permissions

Before you begin configuring the connector, make sure you have the following:

Generating GitHub Dependabot API Token

  1. Go to your GitHub Dependabot console > Account > Settings.

  2. Click on Developer Settings > Personal Access Token

  3. Click on "Generate new token"

  4. Fill in the name and expiration date (recommended: se to "No expiration"

  5. Check to enable the following permissions ("Scopes"):

    1. repo (all permissions)

    2. read:packages

    3. read:org

    4. read:public_key

    5. read:repo_hook

    6. read:user

    7. user:email

  6. Click on Generate Token.

Note: To fetch all of the assets, including their tags and vulnerabilities, the Vulcan Platform requires read-only permissions, including the read:hook.


Configuring the GitHub Dependabot Connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the GitHub Dependabot icon.

  4. Set up the connector as follows:

  5. Click on Load Organization to select the organization you want to pull data from.

  6. Optional: Check the "Pull personal repositories from Github for Dependabot" option.

  7. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your GitHub Dependabot instance, then click Create (or Save Changes).

  8. Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.

  9. Allow some time for the sync to complete. Then, you can review the sync status under Log.

  10. To confirm the sync is complete, navigate to the Connectors tab to check the sync status. Once the GitHub Dependabot icon shows Connected, the connection is complete.


GitHub Dependabot in the Vulcan Platform

Locating GitHub Dependabot vulnerabilities in the Vulcan Platform

As GitHub Dependabot discovers vulnerabilities, the Vulcan Platform Connector imports those vulnerabilities for reporting and action. You can view vulnerabilities via Connector by using the relevant filter:

  1. Open the Vulcan Platform dashboard and navigate to the Vulnerabilities.

  2. Click on the Search or filter vulnerabilities search box, scroll to the Vulnerability Source option, and click to filter by the vulnerability source.

  3. Locate GitHub Dependabot on the vulnerability source/Connector list and click to filter results.

  4. Click on any vulnerability to view further information.
    Learn all about the Vulnerabilities page and Vulnerability Details here.

Locating GitHub Dependabot assets in the Vulcan Platform

To locate all retrieved Code Project assets from GitHub Dependabot:

  1. Open the Vulcan Cyber dashboard and navigate to Assets.

  2. Click on the Code Projects tab.

  3. Click on the Search or filter CodeProjects input box and select Connector from the drop-down selection.

  4. Locate the GitHub Dependabot option to view all synced assets.

Automating actions on vulnerabilities detected by GitHub Dependabot

Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. Take advantage of the automation capabilities of Vulcan Cyber and the GitHub Dependabot Connector.

Click here to learn how to create automation in the Vulcan Cyber Platform.


From GitHub Dependabot to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with GitHub Dependabot through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields. GitHub Dependabot data is mapped into Vulcan Code Projects. Each GitHub Dependabot report is mapped into a vulnerability instance in Vulcan.

Cope Projects mapping

GitHub Dependabot field

Vulcan field

node.id

Uniqueness criteria

node.name

Asset Name

Code Project

Asset type

node.securityVulnerability.package.name

Asset libraries - Name (SCA)

node.vulnerableRequirements

Asset libraries - Version (SCA)

node.name (from the tags calls)

Asset Tags - Vendor’s tags

node.languages.nodes -> lang.name

Organization Repository: {{ organization }} (if not private)

Private Repository (if private)

Asset Tags - Additional

active

Asset’s Status

Now

Last report

node.securityVulnerability.package.name

node.vulnerableRequirements

Vulnerability instance uniqueness criteria

node.createdAt

Vulnerability instance first seen

node.securityVulnerability.advisory.summary

node.securityVulnerability.advisory.description

Unique Vulnerability uniqueness criteria

node.securityVulnerability.advisory.summary

Vulnerability title

node.securityVulnerability.advisory.cvss.score

Vulnerability score

node.securityVulnerability.advisory.description

Vulnerability description

Vulnerable Version Range → node.securityVulnerability.vulnerableVersionRange

First Patched Version → node.securityVulnerability.firstPatchedVersion.identifier

Vector String → node.securityVulnerability.advisory.cvss.vectorString

Vulnerability details

node.state

Vulnerability status

node.securityVulnerability.advisory.cvss.score

CVSS

node.securityVulnerability.advisory.identifiers → value

CVE/S

node.securityVulnerability.advisory.cwes.edges → node.cweId

CWE

id-> node.id

dismissReason → node.dismissReason

state → node.state

Vulnerability instance connection- additional information

Fix From Github Dependabot For {{ node.securityVulnerability.advisory.summary }}

Fix - Title

node.securityVulnerability.advisory.description (only the recommendation)

Fix - Description

node.securityVulnerability.advisory.references → url

Fix - References

Vulnerability status mapping

GitHub Dependabot Status

Vulcan Status

Open

Vulnerable

Fixed

Fixed

-

Ignored - False Positive

dismissed

Ignored - Risk Acknowledged

Vulnerability score mapping

Score mapping is based on:

cvss_score node.securityVulnerability.advisory.cvss.score

GitHub Dependabot score

Vulcan score

1-10

1-10

Update Mechanisms

Status update mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any were added).

The table below describes how the status update mechanism works in the GitHub Dependabot connector for the vulnerabilities and assets in the Vulcan Platform.

Update type

Mechanism

Archiving Assets

  • By X days according to last seen - if the Asset hasn’t been seen for X days it will be archived from Vulcan.

  • If the asset doesn't fetch on the last sync, it will be archived.

Change of vulnerability instances status from "Vulnerable" to "Fixed"

  • By status "fixed": If the connector has a relevant vulnerability status which indicates that the Vulnerability is fixed.

  • Non delta: If the vulnerability doesn't fetch again on the next sync, it will be moved to "fixed".

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only when the next scheduled sync completes.


API Endpoint in use

  1. repositories(first: $numOfRepos, after: $cursor)

  2. repository(name: $repoName)vulnerabilityAlerts(first: $numOfVulns, after: $cursor)securityVulnerability

  3. repository(name: $repoName)refs(refPrefix: refs/tags/, first: $numOfTags, after: $cursor)

Note: To fetch all of the assets, including their tags and vulnerabilities, the Vulcan Platform requires read-only permissions, including the read:hook.


Data Validation

Validating and Comparing Data between Dependabot Connector and Vulcan

Matching Assets Count

Note: The Dependabot connector configuration page allows the selection of organizations for data retrieval. Users can also ingest personal repositories.

Private Repos:

Confirm the number of private repositories ingested from Dependabot connector configuration.

Org Repos:

Verify the count of organization repositories ingested.

Sum of Private and Org Repos:

Confirm that the sum of private and organization repositories from Dependabot matches the assets count in Vulcan.

Matching Vulnerabilities Instances (Connections) Count

In Dependabot:

  1. Click on a specific repository.

  2. Navigate to the "Security" tab.

  3. On the left menu, click on "Dependabot."

  4. Confirm that the alerts count under the Dependabot tab matches the count in Vulcan.

Matching Unique Vulnerabilities Count

In Dependabot:

The unique vulnerabilities are retrieved from vulnerability instances.

  • Compare these by aggregating all instances.

  • Note that the unique identifier is based on the vulnerability title and description, considering potential differences in the description.

In Vulcan:

  • Confirm the count of unique vulnerabilities based on aggregated instances.

  • Ensure that the aggregator considers both title and description for uniqueness.

Did this answer your question?