Skip to content
This repository has been archived by the owner on Jul 18, 2024. It is now read-only.

Commit

Permalink
INT-9372 - change secretScanningAlerts to be Finding (#278)
Browse files Browse the repository at this point in the history 
Co-authored-by: Ronald Arias <[email protected]>
  • Loading branch information
@RonaldEAM
RonaldEAM and RonaldEAM authored Oct 25, 2023
1 parent f88a932 commit b6458d8
Show file tree
Hide file tree
Showing 5 changed files with 70 additions and 61 deletions.
110 changes: 57 additions & 53 deletions docs/jupiterone.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@ execution_. This is an accumulative process resulting in existing `issues` and
`pull requests` which have been ingested, but are not changing, remain in the
graph.

### **Note on `secret scanning findings`:**

Secret scanning findings are by default assigned a critical severity

## Requirements

- JupiterOne requires the JupiterOne GitHub app with read-only permissions be
Expand Down Expand Up @@ -151,64 +155,64 @@ https://github.com/JupiterOne/sdk/blob/main/docs/integrations/development.md

The following entities are created:

| Resources | Entity `_type` | Entity `_class` |
| ----------------------------- | ------------------------------- | --------------- |
| Account | `github_account` | `Account` |
| GitHub Code Scanning Alerts | `github_code_scanning_finding` | `Finding` |
| GitHub Env Secret | `github_env_secret` | `Secret` |
| GitHub Secret Scanning Alert | `github_secret_scanning_alert` | `Alert` |
| GitHub Vulnerability Alert | `github_finding` | `Finding` |
| Github App | `github_app` | `Application` |
| Github Branch Protection Rule | `github_branch_protection_rule` | `Rule` |
| Github Environment | `github_environment` | `Configuration` |
| Github Issue | `github_issue` | `Issue` |
| Github Org Secret | `github_org_secret` | `Secret` |
| Github Pull Request | `github_pullrequest` | `PR` |
| Github Repo | `github_repo` | `CodeRepo` |
| Github Repo Secret | `github_repo_secret` | `Secret` |
| Github Team | `github_team` | `UserGroup` |
| Github User | `github_user` | `User` |
| Resources | Entity `_type` | Entity `_class` |
| ----------------------------- | -------------------------------- | --------------- |
| Account | `github_account` | `Account` |
| GitHub Code Scanning Alerts | `github_code_scanning_finding` | `Finding` |
| GitHub Env Secret | `github_env_secret` | `Secret` |
| GitHub Secret Scanning Alert | `github_secret_scanning_finding` | `Finding` |
| GitHub Vulnerability Alert | `github_finding` | `Finding` |
| Github App | `github_app` | `Application` |
| Github Branch Protection Rule | `github_branch_protection_rule` | `Rule` |
| Github Environment | `github_environment` | `Configuration` |
| Github Issue | `github_issue` | `Issue` |
| Github Org Secret | `github_org_secret` | `Secret` |
| Github Pull Request | `github_pullrequest` | `PR` |
| Github Repo | `github_repo` | `CodeRepo` |
| Github Repo Secret | `github_repo_secret` | `Secret` |
| Github Team | `github_team` | `UserGroup` |
| Github User | `github_user` | `User` |

### Relationships

The following relationships are created:

| Source Entity `_type` | Relationship `_class` | Target Entity `_type` |
| --------------------- | --------------------- | ------------------------------- |
| `github_account` | **INSTALLED** | `github_app` |
| `github_account` | **HAS** | `github_org_secret` |
| `github_account` | **OWNS** | `github_repo` |
| `github_account` | **HAS** | `github_team` |
| `github_account` | **HAS** | `github_user` |
| `github_app` | **OVERRIDES** | `github_branch_protection_rule` |
| `github_env_secret` | **OVERRIDES** | `github_org_secret` |
| `github_env_secret` | **OVERRIDES** | `github_repo_secret` |
| `github_environment` | **HAS** | `github_env_secret` |
| `github_pullrequest` | **CONTAINS** | `github_pullrequest` |
| `github_repo` | **HAS** | `github_branch_protection_rule` |
| `github_repo` | **HAS** | `github_code_scanning_finding` |
| `github_repo` | **USES** | `github_env_secret` |
| `github_repo` | **HAS** | `github_environment` |
| `github_repo` | **HAS** | `github_finding` |
| `github_repo` | **HAS** | `github_issue` |
| `github_repo` | **USES** | `github_org_secret` |
| `github_repo` | **HAS** | `github_pullrequest` |
| `github_repo` | **HAS** | `github_repo_secret` |
| `github_repo` | **USES** | `github_repo_secret` |
| `github_repo` | **HAS** | `github_secret_scanning_alert` |
| `github_repo` | **ALLOWS** | `github_team` |
| `github_repo` | **ALLOWS** | `github_user` |
| `github_repo_secret` | **OVERRIDES** | `github_org_secret` |
| `github_team` | **OVERRIDES** | `github_branch_protection_rule` |
| `github_team` | **HAS** | `github_user` |
| `github_user` | **MANAGES** | `github_account` |
| `github_user` | **OVERRIDES** | `github_branch_protection_rule` |
| `github_user` | **ASSIGNED** | `github_issue` |
| `github_user` | **CREATED** | `github_issue` |
| `github_user` | **APPROVED** | `github_pullrequest` |
| `github_user` | **OPENED** | `github_pullrequest` |
| `github_user` | **REVIEWED** | `github_pullrequest` |
| `github_user` | **MANAGES** | `github_team` |
| Source Entity `_type` | Relationship `_class` | Target Entity `_type` |
| --------------------- | --------------------- | -------------------------------- |
| `github_account` | **INSTALLED** | `github_app` |
| `github_account` | **HAS** | `github_org_secret` |
| `github_account` | **OWNS** | `github_repo` |
| `github_account` | **HAS** | `github_team` |
| `github_account` | **HAS** | `github_user` |
| `github_app` | **OVERRIDES** | `github_branch_protection_rule` |
| `github_env_secret` | **OVERRIDES** | `github_org_secret` |
| `github_env_secret` | **OVERRIDES** | `github_repo_secret` |
| `github_environment` | **HAS** | `github_env_secret` |
| `github_pullrequest` | **CONTAINS** | `github_pullrequest` |
| `github_repo` | **HAS** | `github_branch_protection_rule` |
| `github_repo` | **HAS** | `github_code_scanning_finding` |
| `github_repo` | **USES** | `github_env_secret` |
| `github_repo` | **HAS** | `github_environment` |
| `github_repo` | **HAS** | `github_finding` |
| `github_repo` | **HAS** | `github_issue` |
| `github_repo` | **USES** | `github_org_secret` |
| `github_repo` | **HAS** | `github_pullrequest` |
| `github_repo` | **HAS** | `github_repo_secret` |
| `github_repo` | **USES** | `github_repo_secret` |
| `github_repo` | **HAS** | `github_secret_scanning_finding` |
| `github_repo` | **ALLOWS** | `github_team` |
| `github_repo` | **ALLOWS** | `github_user` |
| `github_repo_secret` | **OVERRIDES** | `github_org_secret` |
| `github_team` | **OVERRIDES** | `github_branch_protection_rule` |
| `github_team` | **HAS** | `github_user` |
| `github_user` | **MANAGES** | `github_account` |
| `github_user` | **OVERRIDES** | `github_branch_protection_rule` |
| `github_user` | **ASSIGNED** | `github_issue` |
| `github_user` | **CREATED** | `github_issue` |
| `github_user` | **APPROVED** | `github_pullrequest` |
| `github_user` | **OPENED** | `github_pullrequest` |
| `github_user` | **REVIEWED** | `github_pullrequest` |
| `github_user` | **MANAGES** | `github_team` |

### Mapped Relationships

Expand Down
1 change: 1 addition & 0 deletions src/config.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -286,5 +286,6 @@ export const ingestionConfig: IntegrationIngestionConfigFieldMap = {
title: 'GitHub Secret Scanning Alerts',
description:
'Alerts for potential leaks of known secrets in public repositories',
defaultsToDisabled: true,
},
};
10 changes: 5 additions & 5 deletions src/constants.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -384,8 +384,8 @@ export const GithubEntities: Record<
},
GITHUB_SECRET_SCANNING_ALERT: {
resourceName: 'GitHub Secret Scanning Alert',
_type: 'github_secret_scanning_alert',
_class: ['Alert'],
_type: 'github_secret_scanning_finding',
_class: ['Finding'],
},
CVE: {
resourceName: 'CVE',
Expand Down Expand Up @@ -455,7 +455,7 @@ export const Relationships: Record<
| 'REPO_USES_ORG_SECRET'
| 'ACCOUNT_HAS_ORG_SECRET'
| 'REPO_USES_ORG_SECRET'
| 'REPO_HAS_SECRET_SCANNING_ALERT',
| 'REPO_HAS_SECRET_SCANNING_FINDING',
StepRelationshipMetadata
> = {
TEAM_HAS_USER: {
Expand Down Expand Up @@ -663,8 +663,8 @@ export const Relationships: Record<
_class: RelationshipClass.USES,
targetType: GithubEntities.GITHUB_ORG_SECRET._type,
},
REPO_HAS_SECRET_SCANNING_ALERT: {
_type: 'github_repo_has_secret_scanning_alert',
REPO_HAS_SECRET_SCANNING_FINDING: {
_type: 'github_repo_has_secret_scanning_finding',
sourceType: GithubEntities.GITHUB_REPO._type,
_class: RelationshipClass.HAS,
targetType: GithubEntities.GITHUB_SECRET_SCANNING_ALERT._type,
Expand Down
4 changes: 2 additions & 2 deletions src/steps/secretScanningAlerts.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,9 +53,9 @@ export async function fetchSecretScanningAlerts({
export const secretScanningAlertsSteps: IntegrationStep<IntegrationConfig>[] = [
{
id: Steps.FETCH_SECRET_SCANNING_ALERTS,
name: 'Fetch Secret Scanning Alerts',
name: 'Fetch Secret Scanning Findings',
entities: [GithubEntities.GITHUB_SECRET_SCANNING_ALERT],
relationships: [Relationships.REPO_HAS_SECRET_SCANNING_ALERT],
relationships: [Relationships.REPO_HAS_SECRET_SCANNING_FINDING],
dependsOn: [Steps.FETCH_REPOS],
ingestionSourceId: IngestionSources.SECRET_SCANNING_ALERTS,
executionHandler: fetchSecretScanningAlerts,
Expand Down
6 changes: 5 additions & 1 deletion src/sync/converters.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ export function createCodeScanningFindingEntity(
}

export function getSecretScanningAlertKey(id: string) {
return `github_secret_scanning_alert:${id}`;
return `github_secret_scanning_finding:${id}`;
}

export function createSecretScanningAlertEntity(
Expand All @@ -207,9 +207,13 @@ export function createSecretScanningAlertEntity(
_key: getSecretScanningAlertKey(String(data.number)),
displayName: data.secret_type_display_name,
name: data.secret_type_display_name,
severity: 'CRITICAL',
numericSeverity: 10,
category: 'application',
number: data.number,
url: data.html_url,
state: data.state,
open: data.state === 'open',
resolution: data.resolution,
secretType: data.secret_type,
secretTypeDisplayName: data.secret_type_display_name,
Expand Down

0 comments on commit b6458d8

Please sign in to comment.