Dynatrace integration with GitHub Advanced Security (GHAS) enables users to unify and contextualize vulnerability findings across DevSecOps tools and products, facilitating centralized prioritization, visualization, and automation of security findings.
GitHub Advanced Security includes Code Security and Secret Protection which generate vulnerability findings for development artifacts, such as code and containers. Dynatrace observes the runtime entities associated with those artifacts. Ingesting and enriching vulnerability findings helps users focus on high-impact risks affecting production applications.
The first version of this integration ingests and contextualizes Dependabot alerts, which are free for public repositories and part of the Code Security premium offering.
The Dynatrace GHAS integration is an extension deployed in a Dynatrace ActiveGate that periodically collects security findings and audit logs using the GitHub REST API.
Security findings are ingested into the Dynatrace platform via a dedicated OpenPipeline security ingest endpoint.
The OpenPipeline ingest endpoint processes and maps the security findings according to the Semantic Dictionary conventions.
These are stored in a bucket called default_securityevents
(for details, see: Built-in Grail buckets).
Optionally, the collected audit logs are ingested via a dedicated extensions log ingest pipeline and stored in the appropriate semantic format.
See below for the GitHub and Dynatrace requirements.
For the extension to collect security data, authentication credentials with proper permissions are required. You have two options, described below.
recommended
The GitHub app-based authentication
Allows granular permission control
Can collect organization level audit logs
Has higher API rate limits
To register and install a GitHub app, follow the steps below.
DynatraceAppSec-<Your Company>
, making sure to replace <Your Company>
with your own value.https://dynatrace.com
.Read-only
Read-only
Read-only
Any account
(allows you to install the app in multiple organizations and even user account, which will simplify your monitoring configurations)Only this account
(the app is installed in the current account; this means you'll need multiple apps and monitoring configurations to cover multiple organizations under an enterprise)Select the General tab and go to the newly registered app settings.
Copy the client ID (you'll need it when setting up the monitoring configuration).
Under Private keys, generate a private key (you'll need it when setting up the monitoring configuration)
The private key allows authenticated requests from the extension; make sure to secure it.
Install the GitHub app on any accounts (users or organizations) you want to monitor.
ActiveGate version 1.310+ that needs to be able to
Permissions:
storage:security.events:read
.Generate an access token with the openpipeline.events_security
scope and save it for later. For details, see Dynatrace API - Tokens and authentication.
In Dynatrace, search for GitHub Advanced Security and select Install.
Follow the on-screen instructions to configure the extension.
Verify configuration by running the following queries in Notebooks:
For audit logs:
fetch logs| filter log.source=="GitHub Advanced Security"
For finding events:
fetch security.events| filter dt.system.bucket == "default_securityevents"| filter event.provider=="GitHub Advanced Security"AND event.type=="VULNERABILITY_FINDING"
For scan events:
fetch security.events| filter dt.system.bucket == "default_securityevents"| filter event.provider=="GitHub Advanced Security"AND event.type=="VULNERABILITY_SCAN"
Once the extension is installed and working, you can access and manage it in Dynatrace via the Extensions app. For details, see About Extensions.
With the ingested data, you can accomplish various use cases, such as
Vulnerability finding events store the individual vulnerability findings reported by various GHAS products per affected artifacts and component.
Vulnerability scan events indicate coverage of scans for individual artifacts.
Audit logs represent the user activity logs in the GHAS products.
If the extension is configured to ingest data at an interval of n
hours, then whenever the extension runs all Dependabot alerts updated in the last n
hours will be ingested.
On the first ingest, we consider alerts updated in the last m
hours, where m
is the first ingest interval configured in the monitoring configuration.
If no scans occurred, no findings will be ingested, even if the project has open issues. Consult the GitHub Docs to see when a scan will occur.
The github
namespace is added for extracting several GHAS-specific attributes for user convenience on top of the original issue JSON, which is stored in the event.original_content
field.
Examples:
github.dependency.relationship
github.dependency.scope
github.epss.percentage
github.epss.percentile
github.ecosystem
CODE_ARTIFACT
: All the findings from GitHub Advanced Security products coming from the assessment of code artifacts are mapped set with CODE_ARTIFACT
value in the object.type
field, and the artifact
and component
namespaces are added with the corresponding fields:
artifact.repository.name
represents the repository name which hosts the artifact.
artifact.path
is the full path of the file representing the code artifact.
component.name
represents the name of the vulnerable library within a code artifact.
component.version
includes the version of the vulnerable component.
GitHub only provides limit values and not the exact version, for example, <1.4
. This limits the possibility of matching runtime components, as the version isn't matched in this case.
The Dynatrace risk levels and scores are mapped from the original GHAS severity and score.
dt.security.risk.level
- is taken from the GHAS severity level and mapped from the original values in finding.severity
.
dt.security.risk.score
- is taken from the GHAS severity level and mapped to static scores. The CVSS score reported by GHAS is available in finding.score
; however, this may not always match the reported severity.
dt.security.risk.level
(mapped from finding.severity
)dt.security.risk.score
(mapped from dt.security.risk.level
)