GitHub
Visualize GitHub users, teams, repositories, pull requests, issues, code scanning alerts and more. Map GitHub users to employees and training, and monitor software development activities, installations of GitHub apps, and outside collaborators.
- Installation
- Data Model
- Types
Installation
In order for this integration to run as expected, you will need to have an organization within the GitHub account for which you are creating the integration. Be sure to create an organization in your GitHub account to ensure having the required permissions. Learn more about GitHub organizations here.
GitHub Cloud & GitHub Enterprise Server Versions 3.3.3 and above have been verified as compatible with this integration. Other versions of GitHub Enterprise may work, but are not fully supported.
Configuration in JupiterOne
To install the GitHub integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select GitHub. Click New Instance to begin configuring the integration.
This integration limits the ingestion of pull requests and issues to the 500 most recently created or modified since the last execution.
In the new instance configuration, provide:
Account Name used to identify the GitHub account in JupiterOne. Ingested entities have this value stored in
tag.AccountName
when theAccountName
toggle is enabled.Description to assist in identifying the integration instance, if desired.
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as
DISABLED
and manually execute the integration.For GitHub Enterprise Servers only: enable the toggle and provide the relevant Hostname, App ID, App Installation ID, and upload your API Private Key.
After creating a new GitHub integration configuration in JupiterOne, you will be re-directed to GitHub to install the JupiterOne GitHub app. The app requests read-only permissions to support ingestion of entities and relationships.
View GitHub permissions
Note
The Secrets API does not reveal the values of Secrets, only their names and creation dates.
Repository Permissions
- Actions: Read-only
- Administration: Read-only
- Dependabot alerts: Read-only
- Discussions: Read-only
- Environments: Read-only
- Issues: Read-only (enables both Issues and private-repo PRs)
- Metadata: Read-only
- Pages: Read-only
- Pull requests: Read-only
- Secrets: Read-only
- Secret scanning alerts: Read-only
Organization Permissions
- Administration: Read-only
- Members: Read-only
- Secrets: Read-only
- Events: Read-only
User Permissioms
- None
Refer to GitHub's documentation information on setting GitHub app permissions and secret permissions
Hierarchy of data retrieval
This integration uses many steps to retrieve data. Some of the steps depend on others. If there is a crash or error, it might be helpful to understand the hierarchy of step dependency:
- The root step is
fetch-account
. All other steps depend on it. - There are four steps that depend only on
fetch-account
that could be considered primary steps. These are:fetch-apps
fetch-repos
fetch-users
fetch-teams
.
- Other steps logically require multiple primary steps to complete. Examples include:
fetch-collaborators
fetch-team-members
fetch-team-repos
- Finally, some sophisticated steps require both primary steps and secondary steps before they can execute. For example,
fetch-prs
needs bothfetch-repos
andfetch-collaborators
in order to properly label reviewers and approvers.
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Entities
The following entities are created:
Resources | Entity _type | Entity _class |
---|---|---|
Account | github_account | Account |
Github App | github_app | Application |
Github Branch Protection Rule | github_branch_protection_rule | Rule |
GitHub Code Scanning Alerts | github_code_scanning_finding | Finding |
GitHub Env Secret | github_env_secret | Secret |
Github Environment | github_environment | Configuration |
Github Issue | github_issue | Issue |
Github Org Secret | github_org_secret | Secret |
Github Pull Request | github_pullrequest | PR |
Github Repo | github_repo | CodeRepo |
Github Repo Secret | github_repo_secret | Secret |
GitHub Secret Scanning Alert | github_secret_scanning_finding | Finding |
Github Team | github_team | UserGroup |
Github User | github_user | User |
GitHub Vulnerability Alert | github_finding | Finding |
Organization Role | github_org_role | AccessRole |
Ruleset | github_ruleset | Ruleset |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
---|---|---|
github_account | HAS | github_user |
github_account | OWNS | github_repo |
github_account | HAS | github_team |
github_account | INSTALLED | github_app |
github_account | HAS | github_org_secret |
github_account | MANAGES | github_ruleset |
github_account | MANAGES | github_org_role |
github_app | OVERRIDES | github_branch_protection_rule |
github_env_secret | OVERRIDES | github_org_secret |
github_env_secret | OVERRIDES | github_repo_secret |
github_environment | HAS | github_env_secret |
github_pullrequest | CONTAINS | github_pullrequest |
github_repo | HAS | github_code_scanning_finding |
github_repo | ALLOWS | github_user |
github_repo | HAS | github_pullrequest |
github_repo | HAS | github_issue |
github_repo | HAS | github_environment |
github_repo | USES | github_org_secret |
github_repo | HAS | github_repo_secret |
github_repo | USES | github_repo_secret |
github_repo | USES | github_env_secret |
github_repo | ALLOWS | github_team |
github_repo | HAS | github_finding |
github_repo | HAS | github_branch_protection_rule |
github_repo | HAS | github_secret_scanning_finding |
github_repo_secret | OVERRIDES | github_org_secret |
github_ruleset | ENFORCES | github_repo |
github_team | HAS | github_user |
github_team | OVERRIDES | github_branch_protection_rule |
github_team | ASSIGNED | github_org_role |
github_user | MANAGES | github_account |
github_user | APPROVED | github_pullrequest |
github_user | OPENED | github_pullrequest |
github_user | REVIEWED | github_pullrequest |
github_user | CREATED | github_issue |
github_user | ASSIGNED | github_issue |
github_user | MANAGES | github_team |
github_user | OVERRIDES | github_branch_protection_rule |
github_user | ASSIGNED | github_org_role |
Mapped Relationships
The following mapped relationships are created:
Source Entity _type | Relationship _class | Target Entity _type | Direction |
---|---|---|---|
github_finding | IS | cve | FORWARD |
github_finding | EXPLOITS | cwe | FORWARD |
github_issue | CREATED | github_user | REVERSE |
github_issue | ASSIGNED | github_user | REVERSE |
github_pullrequest | OPENED | github_user | REVERSE |
github_pullrequest | REVIEWED | github_user | REVERSE |
github_pullrequest | APPROVED | github_user | REVERSE |
Github Account
github_account
inherits from Account
Property | Type | Description | Specifications |
---|---|---|---|
accountId * | string | ||
accountType * | string | ||
databaseId * | number | ||
email * | string | ||
location * | string | ||
login * | string | ||
node * | string | ||
verified * | boolean | ||
websiteUrl * | string |
Github App
github_app
inherits from Application
Property | Type | Description | Specifications |
---|---|---|---|
appId * | number | ||
appSlug * | string | ||
events * | array of string s | ||
hasMultipleSingleFiles * | boolean | ||
installationId * | number | ||
repositorySelection * | string | Any of: all selected | |
singleFileName * | string | ||
singleFilePaths * | array of string s | ||
suspendedOn | number | ||
targetId * | number | ||
targetType * | string |
Github Branch Protection Rule
github_branch_protection_rule
inherits from Rule
Property | Type | Description | Specifications |
---|---|---|---|
allowDeletions * | boolean | ||
allowForcePushes * | boolean | ||
blockCreations * | boolean | ||
enforceAdmins * | boolean | ||
requireCodeOwnerReviews * | boolean | ||
requiredApprovingReviewCount * | number | null | ||
requiredConversationResolution * | boolean | ||
requiredLinearHistory * | boolean | ||
requiredSignatures * | boolean | ||
requiredStatusChecks * | array of string s |
Github Code Scanning Finding
github_code_scanning_finding
inherits from Finding
Property | Type | Description | Specifications |
---|---|---|---|
alertSeverity | string | ||
dismissedComment | string | null | ||
dismissedOn | number | ||
dismissedReason * | string | null | Any of: false positive won't fix used in tests undefined | |
fixedOn | number | ||
number * | number | ||
path | string | ||
ruleTags | array | null | ||
state * | string | ||
toolName | string | ||
toolVersion | string | null | ||
weblink * | string |
Github Env Secret
github_env_secret
inherits from Secret
Property | Type | Description | Specifications |
---|---|---|---|
visibility * | string | const: selected |
Github Environment
github_environment
inherits from Configuration
Property | Type | Description | Specifications |
---|---|---|---|
htmlUrl * | string | ||
nodeId * | string | ||
parentRepoDatabaseId * | string | ||
parentRepoKey * | string | ||
parentRepoName * | string | ||
protectionRulesExist * | boolean | ||
url * | string |
Github Finding
github_finding
inherits from Finding
Property | Type | Description | Specifications |
---|---|---|---|
databaseId | number | ||
dependencyScope | string | Any of: RUNTIME DEVELOPMENT | |
dismissedOn | number | ||
dismisserLogin | string | ||
dismissReason | string | null | ||
fixedOn | number | ||
ghsaId | string | ||
id * | string | ||
number | number | ||
origin | string | ||
securityAdvisoryPublishedOn | number | ||
securityAdvisoryUpdatedOn | number | ||
securityAdvisoryWithdrawnOn | number | ||
vulnerableManifestFilename * | string | ||
vulnerableManifestPath * | string | ||
vulnerablePackageEcosystem | string | ||
vulnerablePackageName | string | ||
vulnerableRequirements * | string | ||
vulnerableVersionRange | string | ||
weblink * | string |
Github Issue
github_issue
inherits from Issue
Property | Type | Description | Specifications |
---|---|---|---|
activeLockReason | string | null | Any of: OFF_TOPIC TOO_HEATED RESOLVED SPAM undefined | |
authorAssociation * | string | ||
body | string | ||
closed * | boolean | ||
closedOn | number | ||
createdViaEmail * | boolean | ||
databaseId * | number | ||
labels * | array of string s | ||
lastEditedOn | number | ||
locked * | boolean | ||
number * | number | ||
pinned * | boolean | ||
publishedOn | number | ||
resourcePath * | string | ||
state * | string | ||
title * | string | ||
url * | string |
Github Org Role
github_org_role
inherits from AccessRole
Property | Type | Description | Specifications |
---|---|---|---|
baseRole | string | null | ||
permissions * | array of string s | ||
source | string | null | Any of: Organization Enterprise Predefined undefined |
Github Org Secret
github_org_secret
inherits from Secret
Property | Type | Description | Specifications |
---|---|---|---|
selectedRepositoriesLink | string | ||
visibility | string |
Github Pullrequest
github_pullrequest
inherits from PR
Property | Type | Description | Specifications |
---|---|---|---|
accountLogin * | string | ||
allCommitsApproved | boolean | ||
approvalLastAt | number | ||
approvalsCount * | number | ||
approverLogins * | array of string s | ||
approvers | array of string s | ||
author * | string | ||
authorLogin * | string | ||
closedOn | number | ||
commitMessages | array of string s | ||
commits * | array of string s | ||
commitsApproved | array of string s | ||
commitsByUnknownAuthor | array of string s | ||
commitsCount * | number | ||
commitsNotApproved * | array of string s | ||
databaseId | number | ||
declined * | boolean | ||
filesChangedCount * | number | ||
id * | string | ||
labels * | array of string s | ||
mergeCommitHash | string | ||
merged * | boolean | ||
mergedBy | string | ||
mergedByLogin | string | ||
mergedOn | number | ||
node * | string | ||
number * | number | ||
pullRequestId * | string | ||
reviewDecision | string | Any of: APPROVED CHANGES_REQUESTED REVIEW_REQUIRED | |
reviewerLogins * | array of string s | ||
reviewers * | array of string s | ||
sourceRefOid * | string | ||
targetRefOid * | string |
Github Repo
github_repo
inherits from CodeRepo
Property | Type | Description | Specifications |
---|---|---|---|
archived | boolean | ||
autoMergeAllowed | boolean | ||
databaseId | number | ||
deleteBranchOnMerge | boolean | ||
disabled | boolean | ||
empty | boolean | ||
fork | boolean | ||
forkCount | number | ||
forkingAllowed | boolean | ||
fullName * | string | ||
homepageUrl * | string | ||
inOrganization | boolean | ||
locked | boolean | ||
lockReason * | string | ||
mergeCommitAllowed | boolean | ||
mirror | boolean | ||
node * | string | ||
pushedOn | number | ||
rebaseMergeAllowed | boolean | ||
securityPolicyEnabled | boolean | ||
template | boolean | ||
userConfigurationRepository | boolean | ||
visibility * | string | Any of: INTERNAL PRIVATE PUBLIC |
Github Repo Secret
github_repo_secret
inherits from Secret
Property | Type | Description | Specifications |
---|---|---|---|
visibility * | string | const: selected |
Github Ruleset
github_ruleset
inherits from Ruleset
Property | Type | Description | Specifications |
---|---|---|---|
enforcement * | string | Any of: DISABLED ACTIVE EVALUATE | |
source * | string | Any of: Enterprise Repository Organization | |
target | string | Any of: BRANCH TAG PUSH REPOSITORY |
Github Secret Scanning Finding
github_secret_scanning_finding
inherits from Finding
Property | Type | Description | Specifications |
---|---|---|---|
number * | number | ||
pushProtectionBypassed | boolean | null | ||
pushProtectionBypassedBy | string | ||
pushProtectionBypassedOn | number | ||
resolution | string | null | Any of: false_positive wont_fix revoked used_in_tests undefined | |
resolutionComment | string | null | ||
resolvedBy | string | ||
resolvedOn | number | ||
secretType | string | ||
secretTypeDisplayName | string | ||
state | string | Any of: open resolved |
Github Team
github_team
inherits from UserGroup
Property | Type | Description | Specifications |
---|---|---|---|
databaseId * | number | ||
fullName * | string | ||
node * | string | ||
privacy * | string |
Github User
github_user
inherits from User
Property | Type | Description | Specifications |
---|---|---|---|
company * | string | ||
databaseId * | number | ||
employee * | boolean | ||
location * | string | ||
login * | string | ||
node * | string | ||
organizationId * | string | ||
role * | string | ||
siteAdmin * | boolean | ||
websiteUrl * | string |