# GitHub

With our CI integration to GitHub you can automatically upload your latest commits and pull requests to Debricked. Best of all, it only takes a couple of minutes to set up!

There are currently two ways of integrating your projects with debricked:

Click on the links to jump to the corresponding section in the documentation.

# GitHub app installation

  • Start by heading over to https://github.com/apps/debricked/.
  • Click on install button in the top right corner. GitHub app install
  • Choose your personal account or your organisations account. Select account
  • If you havent entered your password in a while you might be have to re-enter your personal account password. Confirm password
  • Install directly or request access to install.
  • If installing to a personal account or an organisation account where you are an admin, you will be able to select which, or all, repositories which you want to install the integration to. All repositories
  • If not, you will still be able to select which, or all, repositories you want to install the integration to, but an organisation admin will have to approve your installation request. Selected repositories request
  • If installation was successful, you or your organisation admin will be redirected to Debrickeds service settings. A popup will be shown letting you trigger a first time scan of your repositories. Scan repositories

Note

Repositories not selected during the first scan will not be scanned initially. However, new commits to a repo will trigger a scan.

# Triggering manual scan and verifying installation

If installation was added successfully, you should now have a new installation entry on the Integrations, GitHub CI tab, see image below. You can also manually trigger new scans by hitting the Open repository scanner button.

GitHub example configuration

# Configuring integration

It is possible to configure the GitHub integration by adding a .debricked.yaml file to the root of your repository, such as excluding directories and skipping adding the scan output to GitHub.

# Excluding directories

You may want to do this if you for example get a message like Your repository seems to be too large.. In this case you need to exclude some directories to make the scan pass. To exclude directories:

  • Create or edit .debricked.yaml in the root of your repository
  • Put the directories you want to exclude in the file, like so:
excluded_directories: ['large-directory', 'important-directory/unwanted-directory', 'another-directory']
  • Commit, done!

# Enable skip scan

You may want to do this if you dont want your pipeline to break because you have vulnerabilities or if you have a very complex project where the scan time is too long for your needs. To skip adding scan output to GitHub:

  • Create or edit .debricked.yaml in the root of your repository
  • Set skip_scan to true, like so:
skip_scan: true
  • Commit, done!

# GitHub actions

You can scan your repositories as part of your CI pipeline by using the GitHub action debricked/actions/scan@v1. To configure the action, two parameters are needed: USERNAME and PASSWORD, see example file below.

name: Vulnerability scan

on: [push, pull_request]

jobs:
  vulnerabilities-scan:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - uses: debricked/actions/scan@v1
      env:
        USERNAME: ${{ secrets.DEBRICKED_USERNAME }}
        PASSWORD: ${{ secrets.DEBRICKED_PASSWORD }}

You can add you username and password as secrets under "Settings -> Secrets" in your repository. GitHub environment variables

# Skip scan feature

Sometimes you just wish to start a dependency scan in the background, without actually have it block the pipeline. To do this, use the skip-scan action. It will upload dependency files to Debricked, without waiting for the scan results. However, remember to visit Debricked regularly so you don't miss any new vulnerabilites in your code! See example workflow below.

name: Vulnerability scan

on: [push, pull_request]

jobs:
  vulnerabilities-scan:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - uses: debricked/actions/skip-scan@v1
      env:
        USERNAME: ${{ secrets.DEBRICKED_USERNAME }}
        PASSWORD: ${{ secrets.DEBRICKED_PASSWORD }}

# Upload a whole repository

In most cases, such as above, the tool only needs to upload your dependency files to the service. However, for certain languages, you may need to upload a complete copy of the repository. You then need to add the variableUPLOAD_ALL_FILES: "true" to the action, as below.

name: Vulnerability scan

on: [push, pull_request]

jobs:
  vulnerabilities-scan:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - uses: debricked/actions/scan@v1
      env:
        USERNAME: ${{ secrets.DEBRICKED_USERNAME }}
        PASSWORD: ${{ secrets.DEBRICKED_PASSWORD }}
        UPLOAD_ALL_FILES: "true"

You can of course also combine this with skip scan action described above.