Overview

In this article we will make the necessary actions to integrate GitHub to the SOOS app in order to scan GitHub repositories to check for security risks.

Integration Steps

  1. From the welcome page choose, Integrate Project.

  • Alternatively, select the Integrate option in the left navigation menu.

 2.  Select CI/CD/Repo option.

 3.  Click GitHub to link directly to the SOOS app in the GitHub marketplace. If not already signed in to GitHub, select “Sign in” to do this now.

 4.  Once logged in, click to Configure.

 5.  Select your desired account from the dropdown list.  Note the difference between individual and company accounts at this step.  Selecting an individual account will not provide SOOS access to scan company repos.

 6.  SOOS is able to scan all repositories, or only isolated ones as determined by the user.  Select the desired option to which the installation will apply. Click install to complete the installation of the SOOS Security Analysis app.  Completing this step will redirect back to the main SOOS app window.

 

  7.  Return to the SOOS app and click to open the Configure settings and enable GitHub Webhooks.

Scanning your Repos

Once the SOOS app has been installed in GitHub and has been given access to the desired repository(ies)  and webhooks are enabled SOOS will automatically scan the repos daily and with each commit you make; there is no need to manually initiate repo scans.  Vulnerability and Violation data will be shown in the SOOS app, organized by projects, and will update if/when changes are detected within the repository.  

 

Although it is not necessary to initiate scans manually for GitHub repos, if desired, the Quickscan function will allow you to start a scan repos on-demand, rather than waiting for the scheduled daily scan. 

To perform a GitHub Quickscan, do the following:

  1. Select Quickscan from the left navigation menu, then select the GitHub option.
  2. Select a repository and click Run Analysis. 
    • Note: The example below represents a single integrated GitHub repository.  If “All repositories” was selected during installation of the SOOS app in GitHub instead, the full list of repositories associated with the integrated account would be displayed.  Only one repo can be selected at a time to perform a Quickscan.

  3. A scan will begin, as indicated by a loading icon in the left navigation menu.

  4. When the scan is completed, a project card for the given repo will be displayed on the dashboard.