Use an On-Premises Code Scanner to Scan GitHub Enterprise IaCs

You can connect your GitHub repositories to an on-premises code scanner and scan your code for violations. Perform the following tasks to connect your GitHub repositories to an on-premises scanner:

  1. Create an OAuth Application in GitHub Enterprise Server.

  2. Authorize the on-premises code scanner to access GitHub Enterprise Server.

  3. Connect an IaC from GitHub Enterprise Server to a Tenable Cloud Security project.

  1. Sign in to your GitHub Enterprise Server console with an administrator account.

  2. Navigate to User Settings > Developer Settings > OAuth Apps > New Application.

    The Register a new OAuth application page appears.

    Note: The on-premises code scanner requires port 9020 to authorize SCM applications. Ensure you have the correct network configuration in place for port 9020 on the on-premises code scanner machine to allow the SCM authorizer to access on-premises code scanner.

  3. Create a new application by providing the following information:

    • In the Application name box, type a name for the application.

    • In the Homepage URL box, type the Tenable Cloud Security URL.

    • In the Authorization callback URL box, type: http(s)://<on-premise_code_scanner_host_fqdn>.com:9020/v1/auth/oauth/github/callback

        Where:

      • on-premise_code_scanner_host_fqdn is the fully qualified domain name of the on-premises code scanner.

  4. Click Register application.

  5. Note the Client ID and Client Secret displayed after the creation of OAuth Application.

  1. Launch the URL displayed in the output after the on-premises code scanner deployment. For more information, see Deploy an On-Premises Code Scanner.

    The On Premise Scanner Management Console page appears. In the On Premise Scanner Management Console page, you can authorize the on-premises code scanner with different Source Code Management (SCM) providers.

  2. In the Configure servers section, provide the following:

    • In the Repository Server Address box, type the repository server address.

    • In the On-premise code scanner address (use port:9020) box, type the code scanner address.

  3. Click Continue.

    The Configure cloud (Optional) section appears.

  4. (Optional) In the Select cloud provider drop-down box, select one of the following options:

      1. In the AWS Access Key box, type the AWS access key.

      2. In the AWS Secret Key box, type the AWS secret key.

      • Click Upload to upload your service account credentials file.

      1. In the Azure Client ID box, type the Azure client ID.

      2. In the Azure Tenant ID box, type the Azure tenant ID.

      3. In the Azure Subscription ID box, type the Azure subscription ID.

      4. In the Azure Client Secret box, type the Azure client secret.

    5. Note: The on-premises code scanner requires your cloud account details when you enable Plan based setup to scan your repositories. For more information, see Connect Repositories.
  5. Click Continue.

    The Setup authentication section appears.

  6. In the Select repository server drop-down box, select GitHub.
    Tenable Cloud Security displays an information form for GitHub.

  7. Provide the following:

    1. In the Client ID box, type the client ID.

    2. In the Client Secret box, type the client secret.

      Note: For information about how to obtain Client ID and Client Secret, see Create an OAuth Application in GitHub Enterprise Server.

    3. Click Submit.

  8. (Optional) In the Other Settings section, click the Allow on-premise code scanner to send logs to Tenable Cloud Security toggle.

Tenable Cloud Security redirects you to the GitHub Enterprise server to authorize the permissions on the OAuth Application. A message confirms successful authorization and GitHub redirects you to the On-premise code scanner page.

  1. Access Tenable Cloud Security.

  2. In the left navigation bar, click the icon.

  3. Click Connection > Repository.
    The Connect to repository page appears.

  4. In the Choose a workflow to discover repo(s) section, select Version control.
  5. Click Continue.

    The Connect to a version control provider section appears.

  6. In the Connect to a version control provider section, select GitHub and On-Premise Code Scanner.

  7. Click Continue.

    The Choose onboarding repositories section appears.

  8. Select the required repository.

  9. Hover over the selected repository and click to configure the advanced settings.

    For more information, see Repository Configuration Parameters.

  10. Click Continue.

    The Choose projects to add the repository to section appears.

  11. Select the project that you want to connect to the repository.

  12. Click Connect.

    A message confirms that Tenable Cloud Security connected the GitHub IaC repository to the selected project.