Skip to main content
GitHub Connection

Making the initial connection to GitHub

Updated over a month ago

HERE'S WHY

Connecting GitHub to Drata allows for the automated tests and evidence collection to prove to auditors that your company follows its software development lifecycle procedures.

BEFORE DIVING IN

Make sure you have the ability to install a GitHub app on your company's GitHub organization. Do not install the Drata app in a personal account. On the second step of the app installation process in GitHub, you can verify whether an organization or personal account was selected. You can click Cancel to go back to the first step to fix the selection if necessary.

If you have the ability to match user accounts to the emails of GitHub users, note that emails must be publicly exposed in GitHub for Drata to pull them in. There are two settings required for this for each GitHub user:

  1. Uncheck the β€œKeep my email addresses private” checkbox on https://github.com/settings/emails

  2. Go back to https://github.com/settings/profile and select a value for the β€œPublic email” dropdown

If Drata receives an email address, we only write it to our DB temporarily at connection time and use it for fuzzy matching on the first creation of new users.

HERE'S HOW

Follow these instructions to connect GitHub to Drata:

1. Select "Connections'' on the side navigation menu.

2. Select the 'Available connections' tab and then search for 'Github' to select the connect button for the GitHub integration.

3. Follow the instructions in the slide-out panel carefully. Take your time and complete one step entirely before moving on to the next.

SELECTING IN-SCOPE REPOS

Drata recommends you set the scope of the GitHub app to allow read access to all repos (this covers current and future repos). If you need to reduce the selection of apps Drata will monitor, you can select those at connection time, or once the app has been installed in your organization. This reduction in scope will apply to the "Formal Code Review Process" monitoring test, where Drata looks for your branch protection rules. It will not reduce the scope of collaborators Drata attempts to find, or their permissions on all repos in your organization. Collaborator permissions are evaluated in the "Only Authorized Employees Change Code" and "Production Code Changes Restricted" monitoring tests.

  1. Go to your GitHub organization

  2. Click on the "Settings" tab

  3. Click on "GitHub Apps" (under "Integrations") in the left sidebar

  4. Click the "Configure" button next to the installed Drata app

  5. Under "Repository Access," select the radio option for "Only select repositories"

  6. Use the "Select repositories" dropdown to select your in-scope repos, and click "Save"

    1. The following read permission scopes

      • Repository permissions

        • Administration

        • Code scanning alerts

        • Dependabot alerts

        • Metadata

      • Organization permissions

        • Members

      • Account permissions

        • Email addresses

    2. The following write permission scopes

      • Organization permissions

        • Administration

  7. Rerun the "Formal Code Review Process" monitoring test to evaluate the new results

NOTE: This will require you to manually add future repos you want to monitor to the app's repos selection going forward.

DISCONNECTING AND UNINSTALLING THE DRATA APP

If you ever need to disconnect GitHub from Drata, you will need to do so on the Drata connections page and within GitHub under "GitHub Apps." Click "Uninstall" for the Drata app.

Monitoring tests covered

  • Test 6: Only Authorized Employees Access Version Control

  • Test 7: Only Authorized Employees Change Code

  • Test 8: Formal Code Review Process

  • Test 9: Production Code Changes Restricted

  • Test 87: MFA on Version Control System

  • Test 94: Version Control Accounts Removed Properly

Did this answer your question?