# GitHub

With our CI integration to GitHub you can automatically upload your latest commits and pull requests to Debricked. Best of all, it only takes a couple of minutes to set up!

There are currently two ways of integrating your projects with debricked:

Click on the links to jump to the corresponding section in the documentation.

# GitHub app installation

  • Start by heading over to https://github.com/apps/debricked/.
  • Click on install button in the top right corner. GitHub app install
  • Choose your personal account or your organisations account. Select account
  • If you havent entered your password in a while you might be have to re-enter your personal account password. Confirm password
  • Install directly or request access to install.
  • If installing to a personal account or an organisation account where you are an admin, you will be able to select which, or all, repositories which you want to install the integration to. All repositories
  • If not, you will still be able to select which, or all, repositories you want to install the integration to, but an organisation admin will have to approve your installation request. Selected repositories request
  • If installation was successful, you or your organisation admin will be redirected to Debrickeds service settings. A popup will be shown letting you trigger a first time scan of your repositories. Scan repositories

Note

Repositories not selected during the first scan will not be scanned initially. However, new commits to a repo will trigger a scan.

# GitHub app configuration

If you selected specific repositories upon installation, and would like to add more repos to be scanned,

# Triggering manual scan and verifying installation

If installation was added successfully, you should now have a new installation entry on the Integrations, GitHub CI tab, see image below. You can also manually trigger new scans by hitting the Open repository scanner button.

GitHub example configuration

# Configuring integration

It is possible to configure the GitHub integration by adding a .debricked.yaml file to the root of your repository, such as excluding directories and skipping adding the scan output to GitHub.

Note

It can take up to an hour before config changes take effect. Our GitHub actions alternative does not have this limitation.

# Enabling slow scan

You may want to do this if you for example get a message like Your repository seems to be too large... In this case you need to enable slow scan to make the scan pass. To enable it:

  • Create or edit .debricked.yaml in the root of your repository
  • Set slow_scan to true, like so:
slow_scan: true
  • Commit, done!

Note

Slow scan does exactly what it says, makes the scan slower. It should only be used if your repository can't be scanned using the normal scan.

# Excluding directories

You may want to do this if you for example get a message like Your repository seems to be too large... In this case you need to exclude some directories to make the scan pass. To exclude directories:

  • Create or edit .debricked.yaml in the root of your repository
  • Put the directories you want to exclude in the file, like so:
excluded_directories: ['large-directory', 'important-directory/unwanted-directory', 'another-directory']
  • Commit, done!

# Enable skip scan

You may want to do this if you dont want your pipeline to break because you have vulnerabilities or if you have a very complex project where the scan time is too long for your needs. To skip adding scan output to GitHub:

  • Create or edit .debricked.yaml in the root of your repository
  • Set skip_scan to true, like so:
skip_scan: true
  • Commit, done!

# Uninstallation

If there is a problem during installation of the app, you can uninstall the app as follows.

  • Go to your GitHub user settings
  • If the app was installed on an organizational account, switch to that account
  • Under "Account settings", click "Applications"
  • Find Debricked's app in the list, and hit "configure"
  • At the bottom, click on "Uninstall"

GitHub uninstall app

To re-install the app, follow the installation guide or set up GitHub actions.

If you are uninstalling the app due to unmet expectations, or other issues, please let us know at support@debricked.com.

# GitHub actions

You can scan your repositories as part of your CI pipeline by using the GitHub action debricked/actions/scan@v1. To configure the action, you need to either generate an access token (recommended), or use your username and password. The example below shows how to use an access token.

name: Vulnerability scan

on: [push, pull_request]

jobs:
  vulnerabilities-scan:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - uses: debricked/actions/scan@v1
      env:
        DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}

You can add your access token as a secret under "Settings -> Secrets" in your repository. GitHub environment variables

# Skip scan feature

Sometimes you just wish to start a dependency scan in the background, without actually have it block the pipeline. To do this, use the skip-scan action. It will upload dependency files to Debricked, without waiting for the scan results. However, remember to visit Debricked regularly so you don't miss any new vulnerabilities in your code! See example workflow below.

name: Vulnerability scan

on: [push, pull_request]

jobs:
  vulnerabilities-scan:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - uses: debricked/actions/skip-scan@v1
      env:
        DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}

# Upload a whole repository

In most cases, such as above, the tool only needs to upload your dependency files to the service. However, for certain languages, you may need to upload a complete copy of the repository. You then need to add the variableUPLOAD_ALL_FILES: "true" to the action, as below.

name: Vulnerability scan

on: [push, pull_request]

jobs:
  vulnerabilities-scan:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - uses: debricked/actions/scan@v1
      env:
        DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}
        UPLOAD_ALL_FILES: "true"

You can of course also combine this with skip scan action described above.