GitHub Application Vulnerability Integration
-
- UpdatedAug 1, 2024
- 3 minutes to read
- Xanadu
- Application Vulnerability Response
The GitHub Application Vulnerability Integration imports Static application security testing (SAST) and Software Composition Analysis (SCA) data to help you view vulnerability alerts in the repositories in your GitHub environment.
GitHub Application Vulnerability Integration
The GitHub Application Vulnerability Integration collects scanner data and makes that data available to the ServiceNow AI Platform®. It easily integrates with the ServiceNow® Application Vulnerability Response feature of Vulnerability Response to map third-party vulnerabilities and GitHub alerts in your instance.
The GitHub environment supports multiple organizations. These organizations, both on-premise and Enterprise, might contain various departments, such as Engineering, Quality, Documentation, and so on. Each organization, in turn, can support multiple repositories. After you import your application data with the GitHub Repos Integration, you can import vulnerability and alert data from these repositories. Imported data is processed like an application in the Application Vulnerability Response application. When scanners detect vulnerabilities and generate alerts for the repositories, vulnerabilities are created in Application Vulnerability Response.
There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.
Available versions
Release version | Release notes |
---|---|
GitHub Application Vulnerability Integration v1.2, v1.1, 1.0 |
Application Vulnerability Response release notes For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes |
GitHub integrations
Uploading SBOM files to the ServiceNow AI Platform® from your GitHub repositories
Determine if SBOM files generated in your CI/CD (continuous integration and continuous delivery/deployment) pipelines have been successfully queued in your ServiceNow AI Platform® instance.
- Protect your environments from potentially harmful components during software development cycles with GitHub Actions that you initiate from your GitHub environment.
- Obtain any required GitHub Actions for SBOM upload in the GitHub Marketplace.
The SBOM applications are required to upload SBOM files. See Exploring Software Bill of Materials for more information.
Viewing imported data
Imported application data from the GitHub Repos Integration is displayed on the Discovered Applications [sn_vul_app_release] table. Run this integration first.
The Repos Integration imports tags and topics you have configured for a repository in your GitHub account from the Settings menu. Any Custom properties are located on the menu under your Repository. Values you set for the properties are imported as key-value pairs. For more information on where to view this information in your instance, see View the GitHub Application Vulnerability Integration import run status and imported repository data.
Imported data (findings) from the GitHub Dependabot Integration is displayed on the following tables.
- Discovered Applications [sn_vul_app_release].
- Application Vulnerability Scan Summaries [sn_vul_app_vul_scan_summary].
- Application Vulnerable Items [sn_vul_app_vulnerable_item].
- Packages [sn_vul_app_package].
Imported data from the GitHub CodeScan Integration is displayed on the following tables.
- Discovered Applications [sn_vul_app_release].
- Application Vulnerability Scan Summaries [sn_vul_app_vul_scan_summary].
- Application Vulnerability Entries [sn_vul_app_vul_entry].
- Application Vulnerable Items [sn_vul_app_vulnerable_item].