Overview

In this article we will make the necessary actions to integrate GitHub to the SOOS app in order to scan GitHub repositories to check for security risks.

Please note: Your SOOS account will support one GitHub organization. To scan repositories across multiple GitHub organizations, multiple SOOS accounts are required.  See also SOOS CI/CD integrations.

Integration Steps

  1. From the welcome page choose, Integrate with GitHub.

Welcome screen menu

  • Alternatively, select the Integrate option in the left navigation menu, click into the Manifest Scan (SCA) tab and select the GitHub link at the bottom of the list of integration options to navigate directly to the SOOS app in the GitHub marketplace.

Left navigation menu

Manifest Scan (SCA)GitHub link

 3.  If not already signed in to GitHub, select Sign in to do this now.

GitHub Sign in

 4.  Once logged in, click to Configure.

GitHub configure

 5.  Select your desired account from the dropdown list.  Note the difference between individual and company accounts at this step.  Selecting an individual account will not provide SOOS access to scan company repos.

GitHub Install SOOS Security Analysis

 6.  SOOS is able to scan all repositories, or only isolated ones as determined by the user.  Select the desired option to which the installation will apply.

 7.  Click Install to complete the installation of the SOOS Security Analysis app.  Completing this step will redirect back to the main SOOS app window.

GitHub select desired repositories and Install

 

  8.  Upon returning to the SOOS app, you will see the GitHub Integration page. Click Configure to open the GitHub Settings and turn on the Enable GitHub Webhooks setting.  

Note:

  • Enabling Webhooks is necessary to allow SOOS access to auto-scan your repos whenever a change is committed (only for those repos that SOOS was given access to in step 7 above). 
  • If Webhooks are not enabled, you will be required to use the GitHub QuickScan function to manually initiate scans.  QuickScans can only be performed on one repo at a time.

Configure GitHub in SOOS

Github Webhook settings

9.  After configuring the GitHub Webhook setting, configure the Branch Scan Filters to set the branches you would like to have scanned with each Webhook request and which branches should be rescanned daily (vs. only after change commits). 

  • Only Master and Main branches will be scanned daily by default, add or remove branches as desired.

Note - GitHub QuickScans can be performed on any branch of the user's choice, the Branch Scan Filter has no impact on QuickScans. 

SOOS Branch Scan Filter

 

See our GitHub QuickScan article to begin scanning your GitHub repositories.