Export findings to GitHub Advanced Security

Learn how to export findings to GitHub Advanced Security.

You can export the findings generated by Endor Labs to GitHub Advanced Security so that you can view the findings in the GitHub. Endor Labs exports the findings in the SARIF format and uploads them to GitHub. You can view the findings under Security > Vulnerability Alerts > Code Scanning in GitHub.

Ensure that you meet the following prerequisites before exporting findings to GitHub Advanced Security:

GHAS SARIF exporter allows you to export the findings generated by Endor Labs in the SARIF format.

You can create a GHAS SARIF exporter using the Endor Labs API.

Run the following command to create a GHAS SARIF exporter.

endorctl api create -n <namespace> -r Exporter -d '{
  "meta": {
    "name": "<exporter-name>"
  },
  "tenant_meta": {
    "namespace": "<namespace>"
  },
  "spec": {
    "exporter_type": "EXPORTER_TYPE_GHAS",
    "message_type_configs": [
      {
        "message_type": "MESSAGE_TYPE_FINDING",
        "message_export_format": "MESSAGE_EXPORT_FORMAT_SARIF"
      }
    ]
  },
  "propagate": true
}'

For example, to create a GHAS SARIF exporter named ghas-exporter in the namespace doe.deer, run the following command.

endorctl api create -n doe.deer -r Exporter -d '{
  "meta": {
    "name": "ghas-exporter"
  },
  "tenant_meta": {
    "namespace": "doe.deer"
  },
  "spec": {
    "exporter_type": "EXPORTER_TYPE_GHAS",
    "message_type_configs": [
      {
        "message_type": "MESSAGE_TYPE_FINDING",
        "message_export_format": "MESSAGE_EXPORT_FORMAT_SARIF"
      }
    ]
  },
  "propagate": true
}'

You can configure the scan profile to use the GHAS SARIF exporter and associate it with your project. You can also set the scan profile as the default scan profile so that all the projects in the namespace use the scan profile by default. See Scan profiles for more information.

Ensure that you select the GHAS SARIF exporter in the Export section of the scan profile.

  1. Select Settings from the left sidebar.

  2. Select Scan Profiles.

  3. Select the scan profile you want to configure and click Edit Scan Profile.

  4. Select the GHAS SARIF exporter under Exporters and click Save Scan Profile.

    Scan profile

Ensure that you choose the scan profile with the GHAS SARIF exporter for the project.

  1. Go to the Projects page and select the project you want to configure.

  2. Select Settings and select the scan profile you want to use under Scan Profile.

    Scan profile for project

After the configuration is complete, your subsequent scans will export the findings in the SARIF format and upload them to GitHub. You can use the rescan ability to scan the project immediately instead of waiting for the next scheduled scan. See Rescan projects for more information.

If you have enabled pull request scans in your GitHub App, the GHAS SARIF exporter exports the findings for each pull request.

  1. Navigate to your GitHub repository.

  2. Select Security

  3. Select Code scanning under Vulnerability Alerts.

    View findings in GitHub

    You can use the search bar to filter the findings. You can also view findings for a specific branch and other filter criteria. You can also view the findings specific to a pull request if you have enabled pull request scans. You can filter the findings by the pull request number and view findings associated with the pull request. You can select a finding and view the commit history behind the finding.

    Filter findings in GitHub