Export findings to GitHub Advanced Security

Learn how to export findings to GitHub Advanced Security.

You can export the findings generated by Endor Labs to GitHub Advanced Security so that you can view the findings in the GitHub. Endor Labs exports the findings in the SARIF format and uploads them to GitHub. You can view the findings under Security > Vulnerability Alerts > Code Scanning in GitHub.

Prerequisites

Ensure that you meet the following prerequisites before exporting findings to GitHub Advanced Security:

Create a SARIF exporter

SARIF exporter allows you to export the findings generated by Endor Labs in the SARIF format.

You can create a SARIF exporter using the Endor Labs API.

Run the following command to create a SARIF exporter.

endorctl api create -n <namespace> -r Exporter -d '{
  "meta": {
    "name": "<exporter-name>"
  },
  "tenant_meta": {
    "namespace": "<namespace>"
  },
  "spec": {
    "exporter_type": "EXPORTER_TYPE_GHAS",
    "message_type_configs": [
      {
        "message_type": "MESSAGE_TYPE_FINDING",
        "message_export_format": "MESSAGE_EXPORT_FORMAT_SARIF"
      }
    ]
  },
  "propagate": true
}'

For example, to create a SARIF exporter named ghas-exporter in the namespace doe.deer, run the following command.

endorctl api create -n doe.deer -r Exporter -d '{
  "meta": {
    "name": "ghas-exporter"
  },
  "tenant_meta": {
    "namespace": "doe.deer"
  },
  "spec": {
    "exporter_type": "EXPORTER_TYPE_GHAS",
    "message_type_configs": [
      {
        "message_type": "MESSAGE_TYPE_FINDING",
        "message_export_format": "MESSAGE_EXPORT_FORMAT_SARIF"
      }
    ]
  },
  "propagate": true
}'

Configure scan profile and project to use the SARIF exporter

You can configure the scan profile to use the SARIF exporter and associate it with your project. You can also set the scan profile as the default scan profile so that all the projects in the namespace use the scan profile by default. See Scan profiles for more information.

Configure the scan profile

Ensure that you select the SARIF exporter in the Export section of the scan profile.

  1. Select Settings from the left sidebar.

  2. Select Scan Profiles.

  3. Select the scan profile you want to configure and click Edit Scan Profile.

  4. Select the SARIF exporter under Exporters and click Save Scan Profile.

    Scan profile

Configure the project to use the scan profile

Ensure that you choose the scan profile with the SARIF exporter for the project.

  1. Go to the Projects page and select the project you want to configure.

  2. Select Settings and select the scan profile you want to use under Scan Profile.

    Scan profile for project

Scan projects to use the SARIF exporter

After the configuration is complete, your subsequent scans will export the findings in the SARIF format and upload them to GitHub. You can use the rescan ability to scan the project immediately instead of waiting for the next scheduled scan. See Rescan projects for more information.

View findings in GitHub

  1. Navigate to your GitHub repository.

  2. Select Security

  3. Select Code scanning under Vulnerability Alerts.

    View findings in GitHub

    You can use the search bar to filter the findings specific to a pull request. This allows you to view the specific findings if you have enabled PR scans. You can also view findings for a specific branch and other filter criteria.

    Filter findings in GitHub