Am I reading the right user guide?
Am I reading the right user guide?
Specific connectors have more than one user guide. It depends on the environment's setup and on the connector's available releases (new vs. previous revisions).
To access the user guide that is relevant to your environment, simply click on the "How to connect" button located on the connector's setup page. Doing so will direct you to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.
Overview
About GitHub Code and Secret Scanning
GitHub Code scanning is a feature that analyzes the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub. You can use code scanning to find, triage, and prioritize fixes for existing problems in your code.
GitHub Secret scanning alerts for partners run automatically on public repositories and public npm packages to notify service providers about leaked secrets on GitHub.com.
Why integrate GitHub Code Scanning into the Vulcan platform?
The GitHib Code Scanning Connector by Vulcan integrates with the GitHub platform to pull and ingest Code Project assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
GitHub Code Scanning Connector Details
Supported products | |
Category | Application Security - SAST |
Ingested asset type(s) | Code Projects |
Integration type | UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the Connector, make sure you have the following:
The integration user must be a member of the organization. External collaborator users are not supported.
Generating GitHub API KEY
Generate API Personal Access Token from GitHub with the following configurations and access scopes:
Expiration: No Expiration
repo:
repo:status
repo_deployment
public_repo
security_events
write:packages
read:packages
admin:org
read:org
admin:repo_hook
read:repo_hook
user
read:user
user:email
Note: To fetch all of the assets, including their tags and vulnerabilities, the Vulcan Platform requires read-only permissions, including the read:hook.
Enabling relevant alerts and security options on GitHub
To activate the "Code scanning alerts" security option in GitHub:
Go to the relevant repository on GitHub > Security
Enable the "Code scanning alerts" option
Note: The activation is per repository.
To enable the "Code scanning" and the "Secret scanning" security options in GitHub:
Go to the relevant repo on GitHub > Security
Enable the "Code scanning" and the "Secret scanning" options.
Note: The activation is per repository.
Configuring the GitHub Code Scanning Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the GitHub Code Scanning icon.
Set up the Connector as follows:
Enable the relevant Fetching options and Load the relevant organization you want to sync.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your GitHub Code Scanning instance, then click Create (or Save Changes).
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
(optional) Configure the connector to archive assets in the Vulcan Platform if their status changes to "Archived" in GitHub.
Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.
To confirm the sync is complete, navigate to the Connectors page. Once the X icon shows Connected, the sync is complete.
GitHub Code Scanning in the Vulcan Platform
Viewing GitHub vulnerabilities in the Vulcan Platform
To view vulnerabilities by Connector/Source:
Go to the Vulnerabilities page.
Use the Search or Filter input box to select the Vulnerability Source or Connector filter.
Select GitHub Code Scanning from the vulnerability source/Connector list to filter results.
Click on any vulnerability for more vulnerability details.
Viewing GitHub Code Scanning assets in the Vulcan Platform
To view assets by Connector/Source:
Go to the Assets page.
Click on the relevant asset type tab.
Use the Search or filter input box to select Connector from the drop-down selection.
Select GitHub Code Scanning from the Asset source/Connector list to filter results and view all synced assets.
See the complete list of available asset filters per asset type
Taking Action on vulnerabilities and assets detected by GitHub Code Scanning
To take remediation action on vulnerabilities and assets detected by GitHub Code Scanning:
Go to the Vulnerabilities / Assets Page.
Click on the Search and Filter input box and select Connector from the drop-down selection.
Locate the GitHub Code Scanning option to view all synced vulnerabilities/assets.
Select the relevant vulnerability from the results list.
Click Take Action.
Automating remediation actions on vulnerabilities detected by GitHub Code Scanning
Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the GitHub Code Scanning Connector.
From GitHub to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with GitHub through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.
Code Project field mapping
GitHub Code Scanning field | Vulcan field | Value Example |
node.id | Asset Uniqueness criteria |
|
node.name | Asset Name |
|
Code Projects | Asset type |
|
description (About) | Asset details | 
|
node.name (tags endpoint) | Asset Vendor’s tags | 
|
Languages Organization Repository: {{ organization }} (if not private) Private Repository (if private) | Asset Additional tags |
|
node.isArchived | Asset state |
|
node.createdAt | Asset first seen |
|
node.updatedAt | Asset last seen |
|
rule.description (Code Scanning) OR secret_type_display_name (Secret Scanning) | Unique Vulnerability uniqueness criteria |
|
rule.description (Code Scanning) OR secret_type_display_name (Secret Scanning) | Unique Vulnerability title | 
|
rule.security_severity_level (see Vulnerability Score Mapping below) | Unique Vulnerability score |
|
rule.full_description | Unique Vulnerability description | 
|
html_url rule.security_severity_level | Unique Vulnerability details |
|
rule.tags | Unique Vulnerability CVE/S |
|
rule.tags | Unique Vulnerability CWE | 
|
asset key + vulnerability key + number | Vulnerability instance (Asset-Vulnerability connection) uniqueness criteria |
|
created_at | Vulnerability instance first seen |
|
updated_at | Vulnerability instance Last seen |
|
most_recent_instance.location.path (Code Scanning) or details.path (Secret Scanning) | Vulnerability instance codebase SAST file name | 
|
most_recent_instance.location.start_line (Code Scanning) or details.start_line (Secret Scanning) | Vulnerability instance codebase SAST file location | 
|
most_recent_instance.message.text (description) most_recent_instance.category | Vulnerability instance additional information | 
|
rule.help | Solution uniqueness criteria |
|
GitHub Recommendation | Solution Title |
|
rule.help | Solution Description | 
|
References | Solution Reference | 
|
Vulnerability status mapping
GitHub Code Scanning Status | Vulcan Status | Note/Example |
open | Vulnerable |
|
fixed, resolved | Fixed |
|
dismissed + dismissed_reason = false positive | Ignored - false positive |  |
dismissed, closed | Ignored risk acknowledged |
|
Vulnerability score mapping
GitHub Code Scanning score | Vulcan score |
Critical | 10 |
High | 7 |
Medium | 5 |
Low | 3 |
note | 0 |
Status Update Mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any added).
The table below describes how the status update mechanism works in the GitHub Code Scanning connector for the vulnerabilities and assets in the Vulcan Platform.
Update type in Vulcan | Mechanism (When?) |
The asset is archived | - Asset not seen for X days according to "Last Seen". - Asset status on the connector's side is "archived". |
The vulnerability instance status changes to "Fixed" | - Vulnerability status on the connector's side changes to "Fixed" or "Resolved".
|
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).
API Endpoints in Use
To fetch all of the assets, including their tags and vulnerabilities, the Vulcan Platform requires read-only permissions, including the read:hook.
API | Use in Vulcan |
organizations, assets, tags (asset enrichment) | |
unique vulnerabilities, vulnerability instances | |
solutions | |
unique vulnerabilities, vulnerability instances | |
unique vulnerabilities, vulnerability instances |
Data Validation
The purpose of this "Data Validation" section is to provide a clear understanding of how data from GitHub appears when ingested into the Vulcan Platform.
Matching Assets
The number of repositories ingested into Vulcan should match those in the selected GitHub organization, including private repositories if checked in the connector’s configuration.
Note: Archived repositories aren’t ingested.
Matching Vulnerability Instances
In GitHub, Go to Repositories > Security tab
The count of issues indicated in the code and secret scanning should match the number of vulnerability instances for the same repo in Vulcan.
Note: If only one of the scanners was configured, the vulnerability instances will match respectively
