Github

GitHub is a web-based platform for version control and collaborative software development, facilitating code sharing, project management, and continuous integration.

If you are utilizing our Github integration you will encounter many test in platform, so its essential that your configurations are set properly both in Github and Secureframe.

Github Configuration

How do I update my API permission authorization for Secureframe to use the new Github functionality?

  1. Using your Github Organization account, navigate to Settings, then to Installed Github Apps in the left side navbar.
  2. You should see Secureframe listed under Installed Github Apps along with a request to update permissions.
  3. Click Configure and follow the steps provided to update your Secureframe Github application permissions.

Permissions, Fields Pulled, Controls and Automated Tests

  1. Click the provided link or navigate to the “Integration” page.
  2. Select the “Available” tab.
  3. Search for the integration.
  4. Click “View Details”.

Rulesets

Secureframe pulls PR required approval counts from rulesets. If a repository has both rulesets and regular branch protection rules set, Secureframe follows GitHub’s policy of using the stricter of the two rules.

Important Note: Ruleset data is accessible by Secureframe if the repository is public or if the organization that the repository belongs to is on a non-free GitHub tier.

GitHub also implements an inheritance policy for permissions. For example, if a repository is forked from a private user’s account, it will inherit those permissions and the repository rulesets will be inaccessible. If a ruleset access error occurs during a Secureframe sync, a warning message is generated, but all other data will still be synced. The remediation options for this are to either transfer ownership of the repository or change the parent repository’s visibility to public.

Connecting Integration

To integrate Github with Secureframe, navigate to Integrations and search for “Github” on the “Available Integrations” page. Click “Connect” and follow the steps in the connection form.

Instructions on enabling the Github integration.

Enable GitHub Checks via CircleCI

  1. In the CircleCI app sidebar, select Organization Settings.
  2. Select VCS.
  3. Click the Manage GitHub Checks button.
  4. Select the repositories that should use checks and click the Install button.

After installation, the Checks tab on the GitHub PR view will populate with workflow status information. From here you can rerun workflows or navigate to the CircleCI app to view further information.

Verify that Github Checks is successfully enabled

After GitHub Checks is enabled, CircleCI workflow status is reported under the Checks tab on GitHub.

Checks should show a Re-run button in front of the workflow step. That indicates that CircleCI is configured successfully.More details can be found here.

Adjust repository scope after integrated

To modify a pre-existing connection, go to the Github application:

  1. Navigate to Organization Settings.
  2. Click Github Apps. 
  3. Select Configure next to Secureframe.Untitled.png
  4. Then select which repositories that should be in scope.

Frequently Asked Questions (FAQ)

How do I enable the new functionality in Secureframe?

  1. Be sure you have accepted the updated Github permissions described in the procedure above.
  2. In the Secureframe application, navigate to the Company Monitoring dashboard, then to the Asset Inventory in the left navbar.
  3. Select the Version Control tab.
  4. For EACH in-scope repository, click the repository row and follow the instructions provided to update your repository settings.Note that if any fields are left empty, the associated test will fail with a message about configurations. (Note: users can now opt out of syncing public repoitories if they choose.)
  5. You can also set the starting date from which we will run version control testing by navigating to Integrations > Github > Settings. This date defaults to the date that you connected Github in Secureframe. It can be useful to move this date ahead if you do not have the proper compliance configurations in place at the time you are connecting Github.More information can be found here about how to configure the date. This date is tied to the pull request merge date.

What versions of GitHub are supported with the integration?

  • GitHub Pro
  • GitHub Teams
  • GitHub Enterprise Cloud. GitHub Enterprise Server is currently not supported.

What if I am connected to multiple version control tools in addition to Github?

  • The functionality described here is only available for Github. You may accept the updated Github App permissions and configure your repository settings. However, your version control related tests will not be automated.When Secureframe releases the updates for the other version control tools, you will be able to take advantage of automated testing. Stay tuned for those updates!

Why aren’t checks that are in GitHub on commits or pull requests showing up in Secureframe?

  • Secureframe only pulls testing checks from the Checks API. Some applications that integrate with GitHub need to be configured to use the Checks API to report workflow status to GitHub. This requires an additional permission of checks:write for the app running the checks.

Do you pull in all GitHub request?

  • Secureframe only pulls in merged request, it would not pull in closed request. 
  • For CircleCI, instructions to enable GitHub Checks are below. 

Why am I seeing an "Invalid installation" error while connecting Secureframe to GitHub?

  • This may be because you are logged in to a personal account on GitHub. This integration requires a Github Organization account for installation.

Why is Dependabot failing?

Do I need to sync public repositories?

  • No, you can now opt out of syncing public repos because often times these are not in scope. 

Why is my "Code Dependency Testing (GitHub)" failing, I have Dependabot enabled?

  • Because Pull Request are a point in time, Dependabot must be enabled before Pull Request are merged otherwise this test will not pass.
  • Please also note Secureframe does not support other dependency testing in Github other than Dependabot.

Why is my "Code integration testing (Github)" test failing, when we already have required status checks set up for PRs?

  • The most common issues is that the repository configuration in Secureframe is missing the code integration settings, which is the reason for the test failure.

Why is my "Code static application security testing (Github)" test failing?

  • One common issue is that Secureframe does not test historic Pull Request (PR's).
  • A proper configuration should be in place before the PR gets merged, Otherwise it will fail.

How do I connect a new github repository?

  • First, confirm if the Secureframe app in github has access to all repositories.
  • Then make sure to re-sync the Github integration in Secureframe. 

I am getting a "unable to access rulesets for repository glider?

  • The most common reason for this error is your version.
  • Ruleset data is accessible by Secureframe if the repository is public or if the organization that the repository belongs to is on a non-free GitHub tier.

Why is my static code analysis test failing, when I can see all the checks passing in my Github account?

  • One possible explanation is that the name of the repository has changed and not updated on the Secureframe side.
  • Check the configuration and ensure the name matches in Secureframe and Github.

 

 

 

Related to

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.