How to configure GitHub with S4
- First, you will need to retrieve an S4 Web Secret specific to your Salesforce org. Please use a browser to go to https://s4.digitsec.com and sign in.
- After logging in, find the Salesforce org you wish to scan. Click on the collapsible function menu to select Edit Org Info.
- On the Edit Org Information page, click on the GitHub tab. When you enter here for the first time, your GitHub Secret should be visible in cleartext. Please use the clipboard icon to copy the field contents. Please leave this browser window open on this page as you will return to it in Step 10.
- Open a new browser window and log into https://github.com. Find the repository you wish to integrate with S4 and click on the Settings tab.
- On the screen that loads up, select Webhooks tab.
- Then click the Add Webhook button. For the payload URL, we will use https://s4.digitsec.com/webhooks/gitHub/<gitHubSecret>. Remember, this complete payload URL (including the GitHub secret) has been copied to your clipboard in step 3, so you can paste it into the Payload URL field on the screen below.
Note: DigitSec advises that you select the Let me select individual events and then select Pull requests. This will trigger the webhook on all major pull request events and is the intended way for using this integration. You may still be able to run scans on other triggers but it could end up causing errors while posting results - You must now create a Personal Access Token. In the upper-right corner of any page, click on your profile photo, and then click Settings.
- In the left-hand side bar, click Developer Settings and then click Personal access tokens.
- Click Generate new token. Please assign your token a name and select the repo checkbox for the permissions grant as follows. Then click the Generate Token button. Use the clipboard icon to copy the generated PAT. You may wish to save the token to a local file as GitHub will not display the token in cleartext again.
- Return to the browser window you left open in Step 3. Add the repository name, GitHub username, and personal access token and mark the checkbox if you want S4 to create a pull request at the end of the scan.
- Click Verify & Save.
- A popup will appear and once the repo is added successfully, you will see a message confirming the repo was added successfully.
- To verify this is working, please take an action that will activate the webhook you created. Once you have finished this, the scan will have already begun. Scans typically take between 5 and 15 minutes. S4 will send a notification email once the scan has completed which will include a link to your S4 Findings Detail Report.
- The results from S4 will show up in the pull request comments as follows: