Scan a repository on a GitHub Enterprise server

You can run static analysis direclty on a GitHub Enterprise repository using an AppScan Presence.

AppScan Presence includes optional support for running static analysis on GitHub repositories from a GitHub Enterprise server using a GitHub App. The GitHub server doesn’t have to be publicly accessible; however, the AppScan user must have network access to the GitHub server and permission to access the repositories in GitHub.

Before configuring the scan, set up the AppScan Presence and install and configure a GitHub App.

  1. Use the Create scan wizard to configure your scan. Select Applications > <Application> > Create scan > SAST Static Analysis: Create scan > Scan a GitHub repository.
  2. At the GitHub connection tab, click the GitHub Enterprise checkbox.
  3. Select appropriate enabled AppScan Presence from the drop-down list.
  4. Click Connect with GitHub to login to GitHub.

    Once authorized, available repositories are listed on the Repositories tab. Authorization is required only once.

  5. At the Repository tab, specify the repository and branch to scan from a list of available repositories.
    When choosing repositories from the list of available repositories, choose the parent first, then the branch.
  6. From the Schedule tab, specify that the scan should run immediately, save the scan configuration to use later, or schedule recurrent scanning:
    • Scan now

      The scan runs as soon as you click the Scan button. If the maximum number of concurrent scans are running at this time, the scan will be added to a queue, and will start when it reaches the head of the queue.

    • Save for later

      The configuration for your scan is ready to run and added to the Scans page with the status "Configuration saved." Saved configurations cannot be edited.

    • Schedule
      • Indicate start date and time for the scan.
      • If you want the scan to repeat on a schedule, specify frequency (daily, weekly, monthly) and further details.
      • Indicate when rescans should stop.
  7. Indicate additional scan preferences on the Scan options tab:
    • Opt to run your scan as a personal scan whose security issues will not be added to the issues for the application as a whole.
    • You can also select the default option that sends you an email when the scan completes.
    • Allow intervention by our scan enablement team.
  8. At the Summary tab, edit the default name that was given to the scan, if desired, and review scan choices.
  9. Click Scan when ready to scan.