What is it?
Our GitHub integration enables development teams to resolve vulnerability issues quickly and confidently - with highly relevant and bite-sized secure coding learning within GitHub.
Why did we build this?
To help developers resolve vulnerabilities faster and learn secure coding continuously.
By bringing the relevant content to you when and where you need it, our integrations become part of the solution helping you stay in the flow rather than just scanning the code and showing problems without any help to solve them.
Ultimately, by learning continuously, you build skills to write secure code from the start - reducing vulnerabilities in the codebase.
How does it work?
When vulnerability information is found in issues, pull requests or comments, the integration uses SCW's Direct Linking API to bring the most relevant learning content from SCW's learning platform to GitHub and adds it as a comment.
The relevancy of the content is determined based on the Common Weakness Enumeration (CWE) or Open Web Application Security Project (OWASP) references found in the issue or pull request title, body, labels, and comments. When these references are not found, it will also search for common vulnerability names and phrases such as "SQL injection", "XSS" and so on.
SCW content in pull request comments
SCW content in the issue comments
Installation and configuration
The GitHub plugin can be downloaded from the GitHub Marketplace.
More documentation on configuration can be found here.
What data is sent and stored by the integration?
What is sent to SCW and collected?
- Generic usage stats (opens, clicks) with source information (repository name and owner)
Matched vulnerability information without source information
What is sent to SCW but not collected?
- Issue and pull request titles, body, comments, labels and annotations are sent to SCW to identify the learning resources but discarded after scanning for vulnerability references
- Overview: https://www.securecodewarrior.com/products/scw-for-github
- GitHub Marketplace: https://github.com/marketplace/secure-code-warrior-for-github
- Configuration Guide: https://help.securecodewarrior.com/hc/en-us/articles/900001737346-Secure-Code-Warrior-for-Github-Issues-Configuration-Guide
- Blog post: Stop disrupting my workflow! How you can get the right security training at the right time
Please sign in to leave a comment.