HERE'S WHY
Connecting GitHub to Drata allows for the automated tests and evidence collection to prove to auditors that your company follows its software development lifecycle procedures.
BEFORE DIVING IN
Make sure you have the ability to install a GitHub app on your company's GitHub organization. Do not install the Drata app in a personal account. On the second step of the app installation process in GitHub, you can verify whether an organization or personal account was selected. You can click Cancel to go back to the first step to fix the selection if necessary.
If you have the ability to match user accounts to the emails of GitHub users, note that emails must be publicly exposed in GitHub for Drata to pull them in. There are two settings required for this for each GitHub user:
Uncheck the βKeep my email addresses privateβ checkbox on https://github.com/settings/emails
Go back to https://github.com/settings/profile and select a value for the βPublic emailβ dropdown
If Drata receives an email address, we only write it to our DB temporarily at connection time and use it for fuzzy matching on the first creation of new users.
HERE'S HOW
Follow these instructions to connect GitHub to Drata:
1. Select "Connections'' on the side navigation menu.
2. Select the 'Available connections' tab and then search for 'Github' to select the connect button for the GitHub integration.
3. Follow the instructions in the slide-out panel carefully. Take your time and complete one step entirely before moving on to the next.
SELECTING IN-SCOPE REPOS
Drata recommends you set the scope of the GitHub app to allow read access to all repos (this covers current and future repos). If you need to reduce the selection of apps Drata will monitor, you can select those at connection time, or once the app has been installed in your organization. This reduction in scope will apply to the "Formal Code Review Process" monitoring test, where Drata looks for your branch protection rules. It will not reduce the scope of collaborators Drata attempts to find, or their permissions on all repos in your organization. Collaborator permissions are evaluated in the "Only Authorized Employees Change Code" and "Production Code Changes Restricted" monitoring tests.
Go to your GitHub organization
Click on the "Settings" tab
Click on "GitHub Apps" (under "Integrations") in the left sidebar
Click the "Configure" button next to the installed Drata app
Under "Repository Access," select the radio option for "Only select repositories"
Use the "Select repositories" dropdown to select your in-scope repos, and click "Save"
The following read permission scopes
Repository permissions
Administration
Code scanning alerts
Dependabot alerts
Metadata
Organization permissions
Members
Account permissions
Email addresses
The following write permission scopes
Organization permissions
Administration
Rerun the "Formal Code Review Process" monitoring test to evaluate the new results
NOTE: This will require you to manually add future repos you want to monitor to the app's repos selection going forward.
DISCONNECTING AND UNINSTALLING THE DRATA APP
If you ever need to disconnect GitHub from Drata, you will need to do so on the Drata connections page and within GitHub under "GitHub Apps." Click "Uninstall" for the Drata app.
Monitoring tests covered
Test 6: Only Authorized Employees Access Version Control
Test 7: Only Authorized Employees Change Code
Test 8: Formal Code Review Process
Test 9: Production Code Changes Restricted
Test 87: MFA on Version Control System
Test 94: Version Control Accounts Removed Properly