In this article we will make the necessary actions to integrate GitHub to the SOOS app in order to scan GitHub repositories to check for security risks.
Please note: Your SOOS account will support one GitHub organization. To scan repositories across multiple GitHub organizations, multiple SOOS accounts are required. See also SOOS CI/CD integrations.
- From the welcome page choose, Integrate with GitHub.
- Alternatively, select the Integrate option in the left navigation menu, click into the Manifest Scan (SCA) tab and select the GitHub link at the bottom of the list of integration options to navigate directly to the SOOS app in the GitHub marketplace.
3. If not already signed in to GitHub, select Sign in to do this now.
4. Once logged in, click to Configure.
5. Select your desired account from the dropdown list. Note the difference between individual and company accounts at this step. Selecting an individual account will not provide SOOS access to scan company repos.
6. SOOS is able to scan all repositories, or only isolated ones as determined by the user. Select the desired option to which the installation will apply.
7. Click Install to complete the installation of the SOOS Security Analysis app. Completing this step will redirect back to the main SOOS app window.
8. Upon returning to the SOOS app, you will see the GitHub Integration page. Click Configure to open the GitHub Settings and turn on the Enable GitHub Webhooks setting.
- Enabling Webhooks is necessary to allow SOOS access to auto-scan your repos whenever a change is committed (only for those repos that SOOS was given access to in step 7 above).
- If Webhooks are not enabled, you will be required to use the GitHub QuickScan function to manually initiate scans. QuickScans can only be performed on one repo at a time.
9. After configuring the GitHub Webhook setting, configure the Branch Scan Filters to set the branches you would like to have scanned with each Webhook request and which branches should be rescanned daily (vs. only after change commits).
Mainbranches will be scanned daily by default, add or remove branches as desired.
Note - GitHub QuickScans can be performed on any branch of the user's choice, the Branch Scan Filter has no impact on QuickScans.
Perform a GitHub Quickscan
Select Scan under Scan a repository in the GitHub Integration page shown in the screenshot above.
- Select Github QuickScan from the left navigation menu.
- Select a Repository and Branch and click Scan.
- A scan will begin, as indicated by a loading icon in the left navigation menu.
- When the scan is completed, the project will be displayed on the dashboard with the associated branch. Click the project to open the Project Details to view information about the identified issues.