Set up the GitHub connector
GitHub Advanced Security (GHAS) delivers integrated security capabilities to secure the software development lifecycle directly within GitHub. It includes code scanning for identifying vulnerabilities in code, secret scanning to detect and prevent credential exposure, and dependency review to analyze risks in third-party packages.
By integrating GHAS, Veracode Risk Manager (VRM) leverages its insights to recommend the best next actions for security teams, ensuring seamless alignment with their broader tool stack and promoting a unified, strategic approach to security management.
Complete the following tasks to set up your VRM connector for GitHub.
Enable fine-grained personal access token
The first step in the integration process is to ensure fine-grained personal access token has been enabled.
-
From your GitHub organization page, go to Settings→Personal Access Tokens→Settings.
-
Select Allow access via fine-grained personal access tokens option and select Save.
Create fine-grained personal access token
Once the fine-grained access token has been enabled, create a personal access token to complete the integration process.
Important: To prevent unnecessarily exceeding the rate limits of GitHub's REST API, Veracode recommends generating the personal access token for a user account specifically dedicated to VRM.
Prerequisites
- You are logged in to the user account that you want to associate with the VRM connector
- The user account has access to the repositories that you want VRM to ingest.
To complete this task:
-
Select your user icon in the upper-right corner, and select Settings.
-
Select Developer settings at the bottom of the left navigation bar.
-
Select Personal access tokens > Fine-grained tokens.
-
Select Generate new token.
-
Use these instructions to complete the following fields:
| Field | Instructions |
|---|---|
| Token name | Any unique name for the token. |
| Expiration | Veracode recommends one year from the creation date. |
| Description | Add a description that notes that VRM uses this token. |
| Resource owner | Select your organization. |
| Repository access | Veracode recommends you select All Repositories to grant VRM access to read all repositories. If you want to restrict VRM's access to certain repositories, select Only select repositories, then select all of the repositories that you want VRM to access. |
| Repository permissions | Set the Actions, Code scanning alerts, Contents, Dependabot alerts, Metadata, and Secret scanning alerts permissions to Access: Read-only. |
| Organization permissions | Set the Members permission to Access: Read-only. |
- Select Generate token.
- Copy the generated personal access token and save it for later reference.
Create a VRM connector
- In VRM, from the left navigation menu, select the Settings icon
. - Select Add Connector.
- Select the GitHub tile.
- Enter a name for the connector.
- Paste the access token you generated in GitHub.
- Select Add Connector.