Introduced in 3.1.1.

For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers. For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API.

GitHub Remote Provider Setup

To setup this remote provider, a GitHub username and OAuth Token (non-expired Personal Access Token with public_repo scope) are required.

Generate Token

The process below covers generating a token if one is not already available.

In GitHub, navigate to the user’s Settings > Developer Settings > Personal Access Token. Click the Generate new token button.
Provide a name, expiration date, and select any appropriate scopes. At a minimum, select a scope of public_repo.
Click the Generate Token button. Copy the Personal Access Token for use when setup GitHub as a new Provider in ThreadFix.

Remote Provider Setup

From the Integrations menu, on the Remote Providers page, select the Create New Remote Provider button. In the Create New Provider modal enter a GitHub username and an OAuth Token and click the Create Provider button to create the provider in ThreadFix.

Once the provider has been created, applications and teams can be mapped, and scans imported. Note the example below.

ThreadFix imports vulnerabilityAlerts from GitHub in batches of 100, each of the vulnerabilityAlerts contains a securityVulnerability and a securityAdvisory object within. This information is used to create findings and dependency data.

Findings

Description: ThreadFix builds the description using the firstPatchedVersion, vulnerableVersionRange, and securityAdvisory description. If there is no firstPatchedVersion ThreadFix will insert the text “No fix” in place of the version. A description will have the following form:
- “Vulnerable versions: <vulnerableVersionRange>
- Patched versions: <firstPatchedVersion>
- Description: <securityAdvisory description>”
Severity Code: This is the severity pulled from the securityVulnerability
CVE: If the securityAdvisory contains a CVE it will be stored here
Native ID: This is a hash of the ghsaId (GitHub Security Advisory ID) and the CVE. Both of these values are found within the securityAdvisory
Vulnerability Code: This will be the summary attribute of the securityAdvisory
Source File Name: This is the vulnerableManifestPath taken from the vulnerabilityAlert
Raw Finding: String version of the whole vulnerabilityAlert

Dependency

Reference: This will be the same as the CVE above
Description: This will be the same as the description above
Component Name: This is the name of the vulnerablePackage found inside of the securityVulnerability
Component File Path: This will be the same as the Source File Name above

Queries

Search Queries

ThreadFix uses GitHub’s search queries to pull its repositories, see below via https://docs.github.com/en/graphql/reference/queries#searchresultitemconnection.

Name	Description
`after` (`String`)	Returns the elements in the list that come after the specified cursor.
`before` (`String`)	Returns the elements in the list that come before the specified cursor.
`first` (`Int`)	Returns the first n elements from the list.
`last` (`Int`)	Returns the last n elements from the list.
`query` (`String!`)	The search string to look for.
`type` (`SearchType!`)	The types of search items to search within.

Repository Queries

ThreadFix uses GitHub’s repository query to pull Dependabot alerts, see below via https://docs.github.com/en/graphql/reference/queries#repository.

Name

Description

followRenames (Boolean)

Follow repository renames. If disabled, a repository referenced by its old name will return an error.

The default value is true.

name (String!)

The name of the repository.

owner (String!)

The login field of a user or organization.

ThreadFix 3.X Documentation

GitHub Dependabot [Beta] Remote Provider (ThreadFix 3.X)