GitHub Enterprise Server is now supported
- Visualize GitHub users, teams, code repositories, pull requests, issues, installed GitHub applications, organizational secrets, repo secrets, repo environments, and environmental secrets in the JupiterOne graph.
- Map GitHub users to employees in your JupiterOne account.
- Map GitHub users to development/security trainings.
- Monitor GitHub software development activities within repositories including changes, reviews and approvals.
- Monitor changes to GitHub user teams, users, code repositories, and pull requests using JupiterOne alerts.
- Monitor installations of GitHub Apps using JupiterOne alerts.
- Monitor and audit outside collaborators on code repositories.
- JupiterOne periodically fetches installed GitHub
apps,users,teams,code repositories, and recently created/changedpull requestsandissuesin those repositories to update the graph. - Write JupiterOne queries to review and monitor updates to the graph.
- Configure alerts to take action when the JupiterOne graph changes.
The integration limits ingestion of pull requests and issues during each
execution to 500 of the most recently created/modified since the last
execution. This is an accumulative process resulting in existing issues and
pull requests which have been ingested, but are not changing, remain in the
graph.
Secret scanning findings are by default assigned a critical severity
- JupiterOne requires the JupiterOne GitHub app with read-only permissions be installed in your GitHub Organization account.
- You must have permission in JupiterOne to install new integrations.
- If setting up for GitHub Enterprise Server, the URL to your instance is required.
- Note: GitHub Enterprise Server Versions 3.3.3 and above have been verified as compatible with this integration. Other versions may work but are not fully supported.
If you need help with this integration, please contact JupiterOne Support.
Upon creating a new GitHub integration configuration in JupiterOne, the user is re-directed to GitHub to install the JupiterOne GitHub App. The App will request read-only permissions to support ingestion of entities and relationships.
- Actions: Read-only
- Administration: Read-only
- Dependabot alerts: Read-only
- Discussions: Read-only
- Environments: Read-only
- Issues: Read-only (enables both Issues and private-repo PRs)
- Metadata: Read-only
- Pages: Read-only
- Pull requests: Read-only
- Secrets: Read-only
- Administration: Read-only
- Members: Read-only
- Secrets: Read-only
- Events: Read-only
- None
Note that the Secrets API does not reveal the values of Secrets - only their names and creation dates.
GitHub References:
- https://developer.github.com/apps/building-github-apps/setting-permissions-for-github-apps/
- https://developer.github.com/v3/apps/permissions/#metadata-permissions
- https://developer.github.com/v3/apps/permissions/#permission-on-contents
- https://docs.github.com/en/rest/reference/actions#secrets
- https://docs.github.com/en/rest/reference/permissions-required-for-github-apps#permission-on-secrets
- From the top navigation of the J1 Search homepage, select Integrations.
- Scroll to the GitHub integration tile and click it.
- Click the Add Configuration button and configure the following settings:
- Enter the Account Name by which you'd like to identify this GitHub
account in JupiterOne. Ingested entities will have this value stored in
tag.AccountNamewhen Tag with Account Name is checked. - Enter a Description that will further assist your team when identifying the integration instance.
- Select a Polling Interval that you feel is sufficient for your
monitoring needs. You may leave this as
DISABLEDand manually execute the integration.
- Enter the Account Name by which you'd like to identify this GitHub
account in JupiterOne. Ingested entities will have this value stored in
- Click Create Configuration once all values are provided.
This integration uses many steps to retrieve data. Some of the steps depend on others. If there is a crash or error, it might be helpful to understand the hierarchy of step dependency.
- The root step is
fetch-account. All other steps depend on it. - There are four steps that depend only on
fetch-account. These arefetch-apps,fetch-repos,fetch-users, andfetch-teams. These could be considered primary steps. - Other steps logically require multiple primary steps to complete. Examples
include
fetch-collaborators,fetch-team-members, andfetch-team-repos. - Finally, some sophisticated steps require both primary steps and secondary
steps before they can execute. For example,
fetch-prsneeds bothfetch-reposandfetch-collaboratorsin order to properly label reviewers and approvers.
- From the top navigation of the J1 Search homepage, select Integrations.
- Scroll to the GitHub integration tile and click it.
- Identify and click the integration to delete.
- Click the trash can icon.
- Click the Remove button to delete the integration.
The following entities are created:
| Resources | Entity _type |
Entity _class |
|---|---|---|
| Account | github_account |
Account |
| GitHub Code Scanning Alerts | github_code_scanning_finding |
Finding |
| GitHub Env Secret | github_env_secret |
Secret |
| GitHub Secret Scanning Alert | github_secret_scanning_finding |
Finding |
| GitHub Vulnerability Alert | github_finding |
Finding |
| Github App | github_app |
Application |
| Github Branch Protection Rule | github_branch_protection_rule |
Rule |
| Github Environment | github_environment |
Configuration |
| Github Issue | github_issue |
Issue |
| Github Org Secret | github_org_secret |
Secret |
| Github Pull Request | github_pullrequest |
PR |
| Github Repo | github_repo |
CodeRepo |
| Github Repo Secret | github_repo_secret |
Secret |
| Github Team | github_team |
UserGroup |
| Github User | github_user |
User |
The following relationships are created:
Source Entity _type |
Relationship _class |
Target Entity _type |
|---|---|---|
github_account |
INSTALLED | github_app |
github_account |
HAS | github_org_secret |
github_account |
OWNS | github_repo |
github_account |
HAS | github_team |
github_account |
HAS | github_user |
github_app |
OVERRIDES | github_branch_protection_rule |
github_env_secret |
OVERRIDES | github_org_secret |
github_env_secret |
OVERRIDES | github_repo_secret |
github_environment |
HAS | github_env_secret |
github_pullrequest |
CONTAINS | github_pullrequest |
github_repo |
HAS | github_branch_protection_rule |
github_repo |
HAS | github_code_scanning_finding |
github_repo |
USES | github_env_secret |
github_repo |
HAS | github_environment |
github_repo |
HAS | github_finding |
github_repo |
HAS | github_issue |
github_repo |
USES | github_org_secret |
github_repo |
HAS | github_pullrequest |
github_repo |
HAS | github_repo_secret |
github_repo |
USES | github_repo_secret |
github_repo |
HAS | github_secret_scanning_finding |
github_repo |
ALLOWS | github_team |
github_repo |
ALLOWS | github_user |
github_repo_secret |
OVERRIDES | github_org_secret |
github_team |
OVERRIDES | github_branch_protection_rule |
github_team |
HAS | github_user |
github_user |
MANAGES | github_account |
github_user |
OVERRIDES | github_branch_protection_rule |
github_user |
ASSIGNED | github_issue |
github_user |
CREATED | github_issue |
github_user |
APPROVED | github_pullrequest |
github_user |
OPENED | github_pullrequest |
github_user |
REVIEWED | github_pullrequest |
github_user |
MANAGES | github_team |
The following mapped relationships are created:
Source Entity _type |
Relationship _class |
Target Entity _type |
Direction |
|---|---|---|---|
github_finding |
IS | *cve* |
FORWARD |
github_finding |
EXPLOITS | *cwe* |
FORWARD |
github_issue |
ASSIGNED | *github_user* |
REVERSE |
github_issue |
CREATED | *github_user* |
REVERSE |
github_pullrequest |
APPROVED | *github_user* |
REVERSE |
github_pullrequest |
OPENED | *github_user* |
REVERSE |
github_pullrequest |
REVIEWED | *github_user* |
REVERSE |