- Ensure requirements are satisfied on linux system, especially docker support and https inbound / outbound connectivity
- Download / clone the ThreatWorx GitHub App repository
git clone https://github.com/threatworx/github_app.git
- Run the setup.sh script to create self signed certificates
cd github_app ./setup.sh
If you have ssl certificates, copy them to the
configdirectory and edit theuwsgi.inito use your certificates
[uwsgi] ... https = =0,/opt/tw_github_app/config/my.cert,/opt/tw_github_app/config/my.key,... ...
- Start the app service by running the
docker composeor thedocker-composecommand
docker compose up -d
- Point a browser to
https://linux-systemto configure the app service
The browser will complain about the self signed certificate if are using one
Please be sure to replace it with an appropriate ssl certificate
- Provide required details of your ThreatWorx subscription on the form
- Select required options for app service and click
Configure
These options can be changed later by editing the
./config/config.inifile
- On the next page provide the name of your GitHub organization where this app will be deployed and click
Deploy
If you are signed on to your enterprise GitHub account, the app will be available for installation in your Github Organization
- Follow instructions here to install the app for appropriate Github organizations
If you are using self-signed certificates, make sure the SSL verification is disabled for Webhooks
- Once the app is installed for an organization, select repositories as required to be scanned
App will initially do a complete dependency vulnerability scan for all selected repositories
After that, any commits will trigger a rescan of the change that is committed
If the PR workflow is enabled, each PR will be scanned and new vulnerabilities or code issues will be posted to the PR comments