.png)
Dependabot Findings coming to GitHub Integration
Impacted Integration
GitHub (https://github.com/JupiterOne/graph-github), version 1.15 Release
Description
JupiterOne is preparing to add Dependabot Findings and vulnerabilities to the GitHub integration. This will allow you to query any findings that GitHub has discovered while scanning your repositories for vulnerabilities.
In order to import this data to your JupiterOne account, your GitHub admin will need to grant access to an additional permission. If that permission is not granted, the integration will continue to run as expected, but the new data will not be imported to your JupiterOne account.
What changes are coming?
The github_finding, cve and cwe entities will be added.
JupiterOne will ingest GitHub Dependabot Vulnerability Alerts and any associated CVE or CWEs. In order to ingest these entities, your Github Organization Administrator will need to accept JupiterOne’s additional permission request for read-only access to Dependabot alerts. Any previously unaccepted permissions will also need to be accepted to access Dependabot data.
The following new entities will be created:
Resource | Entity _type | Entity _class |
|---|---|---|
GitHub Vulnerability Alerts |
| Finding |
CVE |
| Vulnerability |
CWE |
| Weakness |
The following relationships will be created with these entities:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
| HAS |
|
| EXPLOITS |
|
| IS |
|
Release Process
This release is a three-step process:
Permissions Change: May 26 - Update the requested permissions in JupiterOne’s GitHub App. This change has already been made and GitHub Organization Admins should have received a notification about the requested permission already.
Dependabot Findings Available by Request: May 31 - For customers who request this update, we will release a new version of the integration that will use the permission to ingest these new entities. This will be rolling out only to accounts that request this change. To request access to this update, please contact your customer success manager.
Dependabot Findings Generally Available: Summer 2022 - We will roll out this change to all customers later this summer after validation with initial customers who have requested this access.
Permissions Request
GitHub will automatically send an email to your GitHub Organization Admins, an “Updated Permissions Request,” notifying them of the new permissions that need to be accepted in the JupiterOne GitHub app in order to ingest data for the github_finding, cve and cwe entities.
The new permissions requested are:
- Dependabot alerts
If the admin does not grant the new permissions this data will not be imported to JupiterOne, but all other data will continue to be ingested as usual.
Ingesting findings and vulnerabilities may increase the amount of time needed for an integration job to complete. The polling interval may need to be adjusted to accommodate the longer run times.
Billable Assets Impact
Little to no impact: The github_finding is a non-billable entity. While cve, and cwe are billable entities, only one billable entity is created per CVE or CWE regardless of how many findings of a CVE or CWE there are.
To request access to this update, please contact your assigned Customer Success Engineer.
Additional Information
The code for this integration is available in the public repo on GitHub: https://github.com/JupiterOne/graph-github
Changelog file: https://github.com/JupiterOne/graph-github/blob/main/CHANGELOG.md
This Month's Leaders
Categories
- 336 All Categories
- Featured Categories
- 7 About the AskJ1 Community
- 11 Product Announcements
- From Mission Control
- 1 Rapid Response
- 3 How J1 Uses J1
- Topics
- 131 Asset Management
- 56 Compliance & Reporting
- 65 Security Operations
- 40 Security Engineering
- 5 Open Source
- 18 News, Careers and More