How to configure GitHub with DigitSec
- First, you will need to retrieve a Web Secret specific to your DigitSec workspace. Please use a browser to go to https://s4.digitsec.com and sign in.
- After logging in, find the DigitSec Workspace you wish to scan. Visit the Integrations--> GitHub tab for the Workspace.
- On the GitHub Details dialog pane, click on the Copy button to capture that Secret to your computer clipboard. Please leave this browser window open on this page as you will return to it in Step 7.
- Open a new browser window and log into https://github.com. Find the repository you wish to integrate with S4 and click on the Settings tab.
- On the screen that loads up, select Webhooks tab.
- Then click the Add Webhook button. This complete payload URL (including the GitHub secret) has been copied to your clipboard in step 3, so you can paste it into the Payload URL field on the screen below.
Note: DigitSec requires that you select the Let me select individual events and then select Pull requests. This is the only way to trigger a scan and post the results back to GitHub. By default, the Push event will be selected. Push must be de-selected.
- Return to the browser window you left open in Step 3. Add the repository name, GitHub username, and Personal access token and mark the checkbox if you want S4 to create a pull request at the end of the scan. Please see the details below to see how to get the Repository name, GitHub Username and Personal Access Token:
Repository Name:
Go to your GitHub repository and click on the Settings tab
On the tab that opens, the repository name is listed as shown below:
GitHub Username:
Click on the drop down on the top right side of the GitHub web interface. On the menu that opens up, the username is listed as the first item as shown below:
Click on the drop down on the top right side of the GitHub web interface. On the menu that opens up, click on Settings as shown below:
On the new screen that comes up, find the tab Developer Settings as shown below:
Click on Developer Settings. On the screen that opens up, click on Personal Access Tokens as shown below:
On the new screen that opens up, click on Generate New Token as shown below:
On the screen that opens up please assign your token a note, an expiration date and select the repo checkbox for the permissions grant as follows:
Then click the Generate Token button as shown below:
When the personal access token appears, use the clipboard icon to copy the generated PAT. You may wish to save the token to a local file as GitHub will not display the token in cleartext again.
8. Go back to step 2 and fill in all this information that you have gathered in its respective fields.
- Click Verify & Save.
- A popup will appear and once the repo is added successfully, you will see a message confirming the repo was added successfully.
- To verify this is working, please take an action that will activate the webhook you created. Once you have finished this, the scan will have already begun. S4 will notify you of the started scan with a comment as shown below:
- Scans typically take between 5 and 15 minutes. S4 will send a notification email once the scan has completed which will include a link to your S4 Findings Detail Report.
- The results from S4 will show up in the pull request comments as follows:
9. Additional Settings
You can configure the GitHub integration to suit your needs. You can have the system create an additional pull request on GitHub by activating the checkmark that appears in the diagram above.
You can also limit the Pull Request Events that trigger a scan. This way, not every Pull Request action will trigger a scan.