This sample service demonstrates how to to implement a custom GitHub app to efficiently scale application security. Presented at the GitHub Universe 2024 session "Go big! Efficiently deploy and customize security tooling at enterprise scale".
The app implements the following sample behaviors:
-
Reopens GitHub Advanced Security alerts
When an unauthorized user dismisses a security alert (Dependabot, code scanning, or secret scanning), the alert will be reopened and a GitHub issue created so that the team can follow up.
-
Detects CodeQL default setup failures
When a workflow running CodeQL in default setup mode fails, a GitHub issue will be created so the security team can follow up.
-
Adds customized advice to pull requests that have code scanning alerts
When a specific type of new CodeQL alert is detected in a pull request, adds a comment with custom information.
-
Node.js 20 or higher.
-
A GitHub app subscribed to the following permissions and events:
Repository permission Access Actions Read-only Code scanning alerts Read and write Dependabot alerts Read and write Issues Read and write Secret Scanning Alerts Read and write Event Code scanning alert Dependabot alert Secret scanning alert Workflow run -
The GitHub app's webhook server (this source code) must be configured to receive events at a URL that is accessible from the internet unless GitHub Enterprise Server is being used.
-
Clone this repository
-
Create a
.envfile similar to.env.sampleand set actual values.Environment variable Usage Description APP_IDRequired GitHub App id. PRIVATE_KEY_PATHRequired Path to .pemfile containign private key for GitHub app. Configured in GitHub app settings.WEBHOOK_SECRETRequired Shared secret for webhooks. Configured in GitHub app settings. ISSUE_ORGRequired Organization containing repository to create issues in. ISSUE_REPORequired Name of repository to create issues in. SECURITY_REVIEWERSRequired Comma delimited list of usernames that have access to dismiss security alerts. PORTOptional Listening port for server. Defaults to 3000. ENTERPRISE_HOSTNAMEOptional Hostname of the GitHub Enterprise Server instance. If blank, GitHub Enterprise Cloud will be used. -
Install dependencies using
npm ci. -
Start the server with
npm run server.
To keep things simple for this example, the GitHub application's private key (PRIVATE_KEY_PATH) and webhook secret (WEBHOK_SECRET) from the environment. Storing secrets in the environment variables and unencrypted files is insecure.
The secure and recommended approach is to use a secrets management system like Vault, or one offered by major cloud providers: Azure Key Vault, AWS Secrets Manager, Google Secret Manager, etc.
This repository is based on the sample code showcased in github-app-js-sample.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}