Skip to main content

Secure GitHub with Mondoo

You can configure Mondoo to continuously scan an entire GitHub organization or individual repositories. Mondoo scans find misconfigurations and vulnerabilities that put your business at risk. You deploy the integration once and always get the latest security assessments.

tip

You can also use Mondoo to automatically scan Kubernetes manifests, Terraform configuration files, and Docker containers in GitHub Actions. To learn more, read Scan in GitHub Actions.

Prerequisite

  • A Mondoo account

  • Access to a GitHub organization or repository

Create a GitHub personal access token to give Mondoo access to the repository

A personal access token gives Mondoo the ability to access GitHub resources on your behalf. For Mondoo to continuously monitor your GitHub repository, you must create a personal access token.

To learn more about personal access tokens, read Managing your personal access tokens in the GitHub documentation.

  1. Log into GitHub. If you haven't verified your email address with GitHub, do that now.

  2. In the upper-right corner of any GitHub page, select your profile photo and then select Settings.

  3. In the left sidebar, select Developer settings.

  4. In the left sidebar, under Personal access tokens, select Tokens (classic).

  5. Near the top-right corner of the page, select the Generate new token drop-down and select Generate new token (classic).

  6. Under Note, explain the purpose of the token, such as Mondoo security scan access.

  7. Under Expiration, specify the number of days before the token expires.

  8. Under Select scopes, check these boxes:

    • read:org
    • read:repo_hook
    • admin:org_hook
    • read:project
  9. Select the Generate token button.

  10. Copy the token that GitHub generates. You need in in the next steps.

Set up a GitHub integration

  1. Access the Integrations > Add > GitHub page in one of two ways:

    • New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select BROWSE INTEGRATIONS and then under SaaS, select GitHub.

      Welcome to Mondoo Page

    • INTEGRATIONS page: In the side navigation bar, under INTEGRATIONS, select Add New Integration. Under SaaS, select GitHub.

      Add a GitHub Integration in Mondoo

  2. In the Choose an integration name box, enter a name for the integration. Make it a name that lets you easily recognize the GitHub organization or repository.

  3. To scan an organization or repository that is in a GitHub Enterprise account, in the Provide GitHub Enterprise URL box, type the URL for the account. This is the URL you use to access the home page for your GitHub account. An example is https://github.mycompany.com.

  4. Under Select your integration type, choose whether to continuously scan an entire organization or a single repository.

  5. Specify the organization or repository to scan:

    • If you're scanning an organization, type its name in the Organization box.

      If you want to control which repositories in the organization to scan, turn off Scan all repositories found within the provided organization and specify the names of repositories to include or to skip. Type each repository on a new line.

    • If you're scanning a repository, in the Owner box, enter the name of the GitHub user or organization that owns the repository you want to monitor. In the Repository box, enter the name of the repository. Find these values in the URL path to the repository landing page. For example, this owner's name is Lunalectric and the repository is frontend:

    GitHub organization name

  6. In the Provide your personal access token box, paste the GitHub token you generated in the previous section.

  7. Choose Discovery options to determine the extent of Mondoo scanning:

    GitHub discovery options

    • To scan all Terraform files in the projects to which your token provides access, check Terraform files.

    • To scan all Kubernetes manifests in the projects to which your token provides access, check Kubernetes manifests.

  8. Select the START SCANNING button.

  9. On the Recommended Policies page, enable the policies on which you want to base assessments of your GitHub repository (or repositories). To learn more, read Manage Policies.

    Mondoo begins scanning your GitHub repository and, when completed, presents results on the INVENTORY page.

Learn more

For more information, explore the complete Mondoo GitHub Resource Pack Reference.