Integrate with GitHub.com

Overview

Integrating Github.com allows Bridgecrew Cloud to:

  • Include your Infrastructure-as-Code files in daily scans
  • Scan changed resources in Infrastructure-as-Code files for every new build generated, (before it is merged to the main branch) and provide an actionable view of the results via GitHub checks - see Code Review.
  • Display compliance badges for your repositories - see Code Repository Badges
  • Open Pull Requests when you Remediate buildtime Incidents in your main branch - see Remediate.

📘

Note on Scans

  • Daily Scans - These scans analyze the entire contents of your Infrastructure-as-Code files in your main branch.
  • Scans triggered by Infrastructure-as-Code files changes in other branches- These scans inspect only the resources changed in the latest build of the branch.

How to Integrate Bridgecrew with GitHub

📘

For details on integrating Bridgecrew with Github Enterprise, see here.

The Product Tour will lead you to the Integrations tab.

  1. Under Continuous Integration, press GitHub and then Add Account.
  2. Press Set up on GitHub Marketplace.
  1. Choose a GitHub organization.
    A GitHub settings page will open.
  1. Under Repository Access select All Repositories or select specific repositories.
    We recommend providing access to All Repositories to assure that all Terraform and CloudFormation files will be accessible.

Note that although Bridgecrew will have the permissions to read all repositories, we will not actually read any repositories that you do not select in the next step.

This is NOT required, however. You can also authorize individual repositories in GitHub, which restricts what Bridgecrew can see and what you can select in the next step.

See below for an example set of GitHub API calls you can use to automatically add repositories, which makes it easier to manage a large list.

  1. Press Save.
    You will be directed back to the Bridgecrew application.
  1. On the GitHub integration page in the Bridgecrew application, select the relevant repositories and press Confirm. By default, Bridgecrew will create comments in the scanned files when violations are found (see example below).

Example

The image below shows an example of a Bridgecrew comment on a violation found in IaC resources modified in the PR that triggered the scan.
The comment includes violation details and a link to a documentation page that explains the related Policy.

Authorizing a repository via the GitHub API

If you choose to select individual repositories in step 4 above, it can become challenging to manage a large list of repositories in a microservices-based or similar dynamic environment. Unfortunately, this is a limitation on the GitHub UI and is not controllable by Bridgecrew.

However, you can perform the following steps to automatically add a repo. The steps below work for a personal repository, but the process is similar if you have GitHub administrator for your organization.

  1. In GitHub, go to installed apps and click "configure" for the "Bridgecrew" app.
  2. Note the installation ID in the URL: https://github.com/settings/installations/1234567
  3. Go here and create a personal API access token. For simplicity, enable all scopes.
  4. Fetch the repo ID for a repository you want to add:

curl -u GITHUB_USERNAME:GITHUB_API_TOKEN -H "Accept: application/vnd.github.v3+json" https://api.github.com/users/GITHUB_USERNAME/repos | jq '.[] | select(.name == "REPO_NAME") | .id'

  1. Add the repo to the list of authorized apps:

curl -u GITHUB_USERNAME:GITHUB_API_TOKEN -H "Accept: application/vnd.github.v3+json" -X PUT https://api.github.com/user/installations/INSTALLATION_ID/repositories/REPO_ID

  1. If you go to the GitHub integrations page in Bridgecrew, you should see the new repository available to be selected. You can use the "Select all" button to select all the repos you authorized.

What’s Next
Did this page help you?