GitHub Integration for Code Scanner

Table of contents


Introduction

Integrating with GitHub is essential for utilising the Code Scanner functionality in TrustWorks. This integration allows users to run code scans by linking their GitHub accounts, providing privacy teams with a self-served and instant overview of personal data and risks without relying on engineering teams.


Prerequisites

Generating an API Key/Token in GitHub

Before you begin the integration process, you need to generate an API Key/Token in GitHub. Here's a brief guide on how to do it:

  1. Go to your GitHub account settings.
  2. Click on Developer settings in the left sidebar.
  3. Select Personal access tokens and click on the Generate new token button.
  4. Give your token a descriptive name, set the expiration date, and select the scopes (permissions) it should have.
  5. Click on the Generate token button at the bottom of the page.
  6. Copy the generated token and keep it secure, as you won't be able to see it again.

For a more detailed guide, follow the instructions in the GitHub guide:

Managing Your Personal Access Tokens.


GitHub token types: Classic vs. Fine-Grained

TrustWorks supports both Classic and Fine-grained tokens, but we recommend using Fine-Grained tokens due to their enhanced security. Both token types require the same permission, which is read-only access to the content:

  • Classic tokens: These tokens have broad permissions and can access multiple resources. They are easier to set up but less secure.
  • Fine-Grained tokens: These tokens have more specific permissions and can access only certain resources. They are more secure and are the recommended option for the Code Scanner integration.

Connecting TrustWorks to GitHub


Access Integrations

  • Navigate to Global Settings > Integrations in TrustWorks.
  • Click on the + New Integration button.


Set up GitHub Integration

  • Select GitHub from the integration list.
  • Choose the authentication method (Basic).
  • Enter your GitHub admin email and the API Key/Token you've previously generated.


Test the connection

  • Click on the Test connection button.
  • If the connection is successful, you will see the Save integration button. Click it to save the integration.


Using the Code Scanner


Creating a new workflow for Code Scanner

  1. Navigate to the Workflows module and click on + New Workflow

  1. Give your Workflow a descriptive name, make it active, select context as Data Mapping. You'll see start and end nodes in the workflow builder now.

  1. Select a trigger for the workflow.

For manual execution, select a "Manual" trigger.


For automation, select an "Event" trigger and choose the event type as "code repository is created." This is the only automation related to code scanning available so far. If you select any other event type, the Code Scan node will be skipped, as there won't be a code repository attached.

  1. Select an action that will be triggered, in our case, it would be a "Code Scan".
  2. Link "Manual" trigger to "start" node, "start" node to "code scan", and "code scan" to "end node".
  3. Save your workflow.

Import repositories for scanning

  1. Navigate to the Code Scanner section.
  2. Select the GitHub integration you've just set up and click on the Import button.

  1. Choose the repositories you want to scan from the list of available repositories in your GitHub account, and select "Create data repository" (optional). When selected, the data repository will be added to your data map.
  2. Start theImport .


Scanning your data repositories

  1. Select at least one of the imported data repositories.
  2. Select the workflow for the code scan you've created before and execute it.

  1. Depending on the number of selected data repositories and their volume, the scan could take from a few minutes to an hour. While executing, the status of the scan will be shown as "draft".


Reviewing and approving code scan findings in TrustWorks

  1. Once the Code Scan is complete, the status will change to "In Review"

  1. View and review the findings by clicking on the "edit" icon.

  1. Here you will see discovered Data Types, Data Repository Types, and All findings.

  1. If you're satisfied with the findings, you can approve the code scan.


Conclusion

Integrating GitHub with TrustWorks for the Code Scanner functionality provides a powerful tool for privacy teams to gain insights into personal data and risks within their code repositories. By following the steps outlined in this guide, you can easily set up the integration, create workflows for code scanning, and review the findings in TrustWorks. This integration empowers privacy teams to take control of their data and mitigate risks without relying on engineering teams.

Still need help? Contact Us Contact Us