Keyless authentication in Github

Learn how to implement keyless authentication in Github.

To enable Keyless Authentication for GitHub Actions, you’ll need to perform the following steps:

Ensure you are using the Endor Labs GitHub Action in your GitHub workflow.
Edit your GitHub Action workflow to add permission settings for the GitHub id-token
Create an authorization policy for GitHub Action OIDC
Test that you can successfully scan a project using Github Action OIDC

Add a GitHub Action OIDC authorization policy

To ensure that the GitHub action OIDC identity can successfully login to Endor Labs you’ll need to create an authorization policy in Endor Labs.

To create an authorization policy:

Under Manage go to Access Control
Navigate to the “Auth Policy” tab
Click on the “Add Auth Policy” button
Select “GitHub Action OIDC” as your identity provider
Select the permission for the GitHub Action. This permission should be “Code Scanner”
For the claim use the key user and put in a matching value that maps to the organization of your GitHub repository.

Configure your GitHub Action workflow

To configure your GitHub Action workflow with GitHub Action OIDC you can use the following example as a baseline.

The important items in this workflow are:

The Usage of the Endor Labs GitHub action.
Setting Job level permissions to allow writing to the GitHub id-token

name: Example Scan of OWASP Java
on: workflow_dispatch
jobs:
  create_project_owasp:
    permissions:
      id-token: write # This is required for requesting the JWT
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repo
        uses: actions/checkout@v3
        with:
          repository: OWASP-Benchmark/BenchmarkJava
      - name: Setup Java
        uses: actions/setup-java@v3
        with:
          distribution: 'microsoft'
          java-version: '17'
      - name: Compile Package
        run: mvn clean install
      - name: Scan with Endor Labs
        uses: endorlabs/github-action@main # This workflow uses the Endor Labs GitHub action to scan.
        with:
          namespace: 'demo'
          scan_summary_output_type: 'json'
          pr: false
          scan_secrets: true
          scan_dependencies: true

Now that you’ve successfully configured your GitHub action workflow file you can use this workflow file or one of your own designs to run a test scan using Keyless authentication for GitHub actions.

Feedback

Was this page helpful?

Thanks for the feedback. Write to us at support@endor.ai to tell us more.