• August 3, 2021
  • Adam Dudley

GitHub Connector for Code Scanning

We’re excited to be rolling out a new connector for the GitHub Advanced Security suite of products across both the SaaS and Enterprise platforms. GitHub Advanced Security provides a suite of application security tools for identifying and managing code scanning, secrets scanning and dependency review directly in GitHub itself.

Beginning in this beta release, you will now be able to ingest CodeQL analyses from GitHub Code Scanning for public and private repositories that are linked to an organization in GitHub.com. The connector uses GitHub Apps to provide access to the repositories in your GitHub organization, making it easy to set up and manage access to your data ongoing.

To get started, add a new connector, fill out your GitHub organization name, and hit Install App. Follow the steps to create and install a Nucleus app in your organization, and then head over to the Import via Connector page to begin ingesting vulnerabilities.

Setup Github

You can ingest CodeQL analyses from Github by repository, team (all repositories that belong to a team), or all, where all results from all available repositories are ingested. These ingestion methods can be conducted on a one-off, or on an hourly schedule.

Import Scans - GitHub

We know how useful it is to you to have all of the metadata from the tools we connect to, and so source code repositories that have been ingested from GitHub come with the full suite of additional metadata too! Among other attributes, this connector includes teams metadata so you can create fine-grained automation rules to save tons of time and manual effort.

Additional Metadata

Are you using Code Scanning to ingest SARIF scan results from other tools? If so, we’d love to know so that we can add support for them in Nucleus too. Get in touch with us at support@nucleussec.com to let us know what you would like to see support for!

In future releases we will be adding support for GitHub Enterprise edition, enabling webhook support for instant ingestion of scans and updating of statuses, migrating our existing Dependabot connector to this new connector, and building support for ingestion of secrets scanning results. Be sure to stay tuned for future updates!