Objective
This article details how you can configure Contrast to automatically create new Issues in your Github repository when new vulnerabilities are detected in a Contrast application.
Prerequisites
1. A github repository that is owned by an Organization Account; at this time, Contrast cannot be configured to create issues in a repository owned by a github User Account. See https://docs.github.com/en/github/getting-started-with-github/types-of-github-accounts for a description of the different types of github accounts available.
2. One of the Organization's member's "Personal Access Token".
- This Personal Access Token should be configured to have the Scope of "repo".
- The Organization member does not have to belong to an Organization Team, but if this member does belong to a Team, that should be fine as well, so long as the necessary repo access is set up for the Organization Member (see the next Prerequisite for details).
3. For the Organization member whose Personal Access Token is being used for this Contrast Integration: "write" access to the github repository where the github Issues will be created by Contrast.
4. This integration will only work for Assess Licensed Contrast applications.
Process
1. In the Contrast UI, go to the upper right-hand corner and click on your username. From the menu that comes up as a result, choose Organization Settings -> Integrations
2. Click the "Connect" button in the "Github" row.
3. In the Connect with GitHub form:
- For Name, you can use whatever name you want to name this integration.
- For URL, give the github API URL that can be used to access your github repo (eg, https://api.github.com). The GitHub API URL must be accessible by the Contrast server.
- For Username, enter the username of the Organization member whose Personal Access Token you will use for this integration.
- Personal Access Token is just the github Organization's member's Personal Access Token which can be found in github, in the member's Settings (under "Developer Settings")
4. Once you complete the fields, click the button to "Test Connection". This process may take a few moments depending on the number of your GitHub organizations and repositories. The test verifies that the GitHub instance can be reached by Contrast and that the specified user is able to log in.
5. Once a connection is made, select the "Applications" from which you want to create github Issues. As mentioned in the Prerequisites given earlier in this article, this integration will only work for Assess licensed Contrast applications.
6. Select the "Github Organization" that owns the repository you want to create contrast issues in, and then the actual Repository that you want to use.
7. Check the box to "Automatically create tickets for new vulnerabilities discovered" if you want Contrast to automatically create the github issues as new vulnerabilities are detected in the Contrast applications. When you check this box, you get the option to choose which vulnerabilities will result in new issues getting created in github. The default is vulnerabilities that are Critical and High.
Optionally, you can set:
- Repository Labels
- Assignees
- Milestone
NOTE:
If you change the GitHub organization or Repository values, you must re-enter the values for the optional fields.