Onboard GitHub Enterprise for Identity Scans

Table of Contents

Onboard GitHub Enterprise for Identity Scans

Learn how to connect a GitHub Enterprise instance to SSPM for identity account scans.

For visibility into GitHub Enterprise account risks, you must onboard GitHub Enterprise for identity scans. This onboarding process is separate from the onboarding process for GitHub Enterprise configuration scans. Unlike other apps that SSPM supports for identity account scans, the onboarding steps for configuration scans will not enable SSPM to detect account risks. The normal onboarding steps can enable scans that detect MFA issues, but cannot enable the scans that detect issues with GitHub Enterprise accounts.

SSPM gets access to identity information for your GitHub Enterprise instance through a GitHub App (PANW-SSPM-IDENTITY). During onboarding for identity scans, SSPM prompts you to log into your GitLab Enterprise instance as an administrator. After you log in, GitHub Enterprise prompts you to select an organization that you manage. GitHub Enterprise then prompts you to install and grant permissions to the PANW-SSPM-IDENTITY GitHub App. The permissions will enable SSPM to scan member and audit log information to identify account risks.

By following these steps, you can onboard only one organization. If you want SSPM to perform identity scans for multiple organizations, you can onboard each organization separately. When you later view account risks for your GitHub Enterprise instance, the Identity Security dashboard will show information for all of the organizations that you onboarded.

Identify the GitHub Enterprise administrator account for granting SSPM access.
Required Permissions: To grant SSPM the access that it requires, you must log in with an administrator account that has permission to the GitHub organization that SSPM will scan.
After SSPM establishes the connection, it will run scans (Non-Human Identity Scans and Risky Account Scans) to detect issues with accounts for your GitHub Enterprise instance. SSPM will then run these scans at regular intervals. For SSPM to run these scans, the GitHub Enterprise account that you use to establish the initial connection must remain available. For this reason, we recommend that you use a dedicated service account to grant SSPM access. If you delete the service account, or uninstall the the PANW-SSPM-IDENTITY GitHub App, the scans will fail and you will need to onboard GitHub Enterprise for identity scans again.
Sign out of all GitHub Enterprise accounts.

Signing out of all GitHub Enterprise accounts helps ensure that you sign in under the correct account during the onboarding process. Some browsers can automatically sign you in by using saved credentials. To ensure that the browser does not automatically sign you in to the wrong account, you can turn off any automatic sign-in option or clear your saved credentials. Alternatively, you can prevent the browser from using saved credentials by opening the Cloud Management Console in an incognito window.
Connect to your Github Enterprise instance and enable identity scans.
1. Log in to Strata Cloud Manager.
2. Select ConfigurationSaaS SecurityPosture SecurityIdentity and Add Provider.
3. Click the Github Enterprise Identity tile, and Add New instance.
4. Log in with Credentials.
5. Connect.
  
  SSPM redirects you to the Github Enterprise login page.
6. Enter the credentials for the administrator account that you identified earlier, and log in to GitHub Enterprise.
7. Github Enterprise prompts you to select an organization. Select the organization that you want SSPM to scan for account risks.
8. GitHub Enterprise prompts you to install and authorize the PANW-SSPM-IDENTITY GitHub App. Select All Repositories and Install & Authorize.

SaaS Security Docs

Onboard GitHub Enterprise for Identity Scans

SaaS Security Docs

Onboard GitHub Enterprise for Identity Scans

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Visibility & Monitoring

Best Practices

Experts Corner