GitHub is a source code version control tool used by engineering teams to manage code. Integrating with GitHub will create an inventory of your code repos in Comply and run automations to ensure they are configured securely.
Up-to-date asset inventory
Not all of your code repos will be in scope of your ISMS. By maintaining this list over time, you’ll be able to more quickly react to requests from auditors and customers when they are investigating your SDLC policies. Additionally, you can leverage procedures to automatically trigger processes when code repos are added or removed from GitHub (e.g. conduct a risk analysis when a code repo is created or remove sensitive data the code repo was utilizing after it’s removed).
Automatic SDLC monitoring and evidence
We automatically record every Pull Request merged as an event in Comply. These events are then processed by our automations and recorded as evidence that you can use in an audit. Read more about events and automations here and scroll down to see details on the events and automations provided for Github specifically.
We use a GitHub App to integrate with your organization, this provides us with Read Only access to specific parts of your organization that you can review using GitHub’s built in management tools.
Code Repo Pull Request Approval
Ensures that pull (merge) requests are reviewed by someone other than the author prior to merge.
Comply creates an issue if a pull (merge) request was either not approved or approved by the author.
ISO: A.12.1.2, A.12.1.4, A.14.2.2
SOC 2: CC3.4, CC7.1, CC8.1
Code Repo Pull Request CI
Ensures code tests using continuous integration ("CI") were run and were passing prior to merge.
Comply creates an issue if CI failed prior to merge.
SOC 2: CC8.1
Pull Request Merged events. We automatically tag each one based on the review and CI status of the Pull Request.
Approved- The Pull Request was approved before merging.
Approved by Author- The Pull Request was approved only by its author.
Not Approved- The Pull Request was not approved before merging.
CI Success- All GItHub CI checks passed before merging.
CI Failure- All GitHub CI checks did not pass before merging.
- We also generate a specific tag for each CI item in case you want more granular control.
- Navigate to the Automations > Integrations Configuration section in Comply
- Click 'Add Integration', and select GitHub.
- Ensure you’re logged in to an Owner account on the desired GitHub organization.
- Click Authorize and go through the GitHub App install process.
The most common problems when setting up the integration are:
- Installed on the incorrect GitHub organization.
- Installed on a GitHub personal account, this integration only support organizations.
- If you’re not an owner, GitHub will only allow you to request the installation.
If you receive an error message when trying to sync your integration, please check the above items and contact [email protected] if the problem persists.
Updated over 1 year ago