SaaS Security Administrator's Guide
    : Begin Scanning a GitHub App
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. SaaS Security Administrator's Guide
    4. Data Security
    5. Secure Sanctioned SaaS Apps on Data Security
    6. Add Cloud Apps to Data Security
    7. Begin Scanning a GitHub App
    Download PDF

    SaaS Security Administrator's Guide

    Begin Scanning a GitHub App

    Table of Contents

    Begin Scanning a GitHub App

    Authorize Data Security to connect to GitHub to scan all content shared within the app.
    You can connect a GitHub to Data Security to scan for public exposure of repository folders or source code files to ensure your company’s proprietary information is secure. With GitHub, you can control if Data Security scans a collection of owner accounts connected to an organization or a single owner account.
    To connect GitHub to Data Security and begin scanning assets, you need to:
    Support for automated remediation capabilities varies by SaaS application.

    Add GitHub App

    In order for Data Security to scan assets, you must consent to specific permissions during adding the GitHub App.
    1. To add the GitHub V2 app, go to Data SecurityApplicationsAdd ApplicationGitHub.
    2. Click Connect to GitHub Account, then sign in with a GitHub account that has Owner privileges.
    3. Choose which repositories you want Data Security to scan:
      • (Recommended) If your GitHub account is part of an organization, Grant Data Security Organization access to scan your organization’s current and future repositories.
      • Selectively choose which repositories you want Data Security to scan.
    4. Authorize Data Security (listed as PAN ShieldArc) access to your GitHub account.
    5. Verify that you successfully granted Third-Party application access policy to Data Security.

    Troubleshooting Onboarding for GitHub App

    To ensure that your app has onboarded correctly without any issues in authentication or permissions, Data Security performs validation checks between the onboarding and scanning process. You can start scanning only after a successful validation. For GitHub, the following validations happen:
    • App Authentication
    • Validating Permissions
    After the validation is successful, Data Security displays the sample data assets.
    If the App Authentication or Validating Permissions check fails, try the following:
    1. Ensure you have administrator permissions.
    2. Go to your GitHub app directory and check if your Palo Alto Networks application is listed in the list of Installed Apps. Following are the app names for specific regions:
      • India region: SAAS Security API IN
      • Australia region: SaaS Security GITHUB-AUS
      • Japan region: SaaS Security GITHUB-JP
      • UK region: SaaS Security GITHUB-UK
      • EU region: SaaS Security API - EU
      • APAC region: SaaS Security API - APAC
      • US region: SaaS Security API - NAM
    Handling Errors
    To understand your error messages and ways to resolve them, see:
    The other most common issues related to onboarding a GitHub App are as follows:
    Symptom
    Explanation
    Solution
    Data Security does not create assets during forward scanning.
    Existing Data Security account will not create asset during forward scan due to a mismatch in installation ID. Thus, assets are created only during backward scanning.
    For assets to be created during forward scanning also, uninstall the existing Data Security app from your GitHub account/organization manually and perform a fresh onboarding to install Data Security again.
    Data Security web interface does not display assets that are associated with new branches.
    For performance reasons, Data Security only scans the default branch of the repository, not all branches of the repository.
    This is expected behavior.
    Data Security web interface does not display assets for a newly created repository.
    You likely did not grant Organization access as outlined in Add GitHub App.
    Reauthenticate and authorize access to the new repository or grant Organization access.
    If the issue persists, contact SaaS Security Technical Support.

    Start Scanning and Monitor Results

    When you add a new cloud app, then enable scanning, Data Security automatically scans the cloud app against the default data patterns and displays the match occurrences. You can take action now to improve your scan results and identify risks.
    1. To Start scanning the new GitHub App for risks, go to Data SecurityApplicationsGitHubEnable Scanning.
    2. Monitor the scan results.
      During the discovery phase, as Data Security scans files and matches them against enabled policy rules:
      • Verify that SaaS Security web interface displays assets.
      • Verify that your default policy rules are effective. If the results don’t capture all the risks or you see false positives, proceed to next step to improve your results.
    3. (Optional) Modify match criteria for existing policy rules.
    4. (Optional) Add new policy rules.
      Consider the business use of your cloud app, then identify risks unique to your enterprise. As necessary, add new:
    5. (Optional) Configure or edit a data pattern.
      You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.

    © 2024 Palo Alto Networks, Inc. All rights reserved.