Skip to main content

Integrate Contrast with GitHub and GitHub Advanced Security

Contrast supports multiple methods of integrating GitHub source code management (SCM) with Contrast technologies.

For an example of how to integrate Assess with a GitHub workflow, visit Assess and GitHub.

Integrate Contrast Scan with GitHub

I want to use GitHub to...

Procedure

Related links

Scan code in my master branch

Use the Contrast Scan local engine as part of your workflow.

You have a choice of using the Scan CLI or the Contrast Scan Analyze GitHub action for the scan.

The CLI does not support specific branch scanning. It creates separate projects for each repository that you scan. For this reason, using the Contrast Scan Analyze Github action is the recommended option.

Contrast Scan Analyze

Contrast Scan Analyze README

Scan code in my personal or an alternative branch

Use the Contrast Scan Analyze GitHub action for the scan.

Contrast Scan Analyze

Contrast Scan Analyze README

Ingest Contrast findings into GitHub Advanced Security

Test the application whose information you want to include in a SARIF file with either of these methods:
- Deploy the agent on the server deployed in the pipeline itself, where the test suit that should be part of the deployment runs. This action exercises the application and provides information for the SARIF file.
- Deploy the agent and exercise the application on a server before a test run.
Use the sarif API to download the SARIF file from Contrast. You can filter the information by application and other metadata to customize the results.
To ingest the SARIF file into GitHub Advanced Security, add the following code to your GitHub action file:
```
- name: Upload SARIF file
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: results.sarif
```
The Security > Code Scanning tab shows the results.

Uploading a SARIF file to GitHub

Integrate Contrast static SCA with GitHub

I want to use GitHub to...	Procedure	Related links
Run a static SCA scan against my repo using an action	Use the Contrast Security SCA GitHub action to scan your code repository for library vulnerabilities. You can also use the GitHub action to fail a build by updating your workflow file.	Contrast Security SCA GitHub action
Ingest Contrast SCA findings into GitHub Advanced Security	Test the application whose information you want to include in a SARIF file with either of these methods: Deploy the agent on the server deployed in the pipeline itself, where the test suit that should be part of the deployment runs. This action exercises the application and provides information for the SARIF file. Deploy the agent and exercise the application on a server before a test run. Use the sarif API to download the SARIF file from Contrast. You can filter the information by application and other metadata to customize the results. To ingest the SARIF file into GitHub Advanced Security, add the following code to your GitHub action file: - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif The Security > Code Scanning tab shows the results.	Uploading a SARIF file to GitHub

Integrate IAST technology (Contrast Assess) with GitHub

I want to use GitHub to...	Procedure	Related links
Export results in a SARIF file and ingest it into Github Advanced Security	Test the application whose information you want to include in a SARIF file with either of these methods: Deploy the agent on the server deployed in the pipeline itself, where the test suit that should be part of the deployment runs. This action exercises the application and provides information for the SARIF file. Deploy the agent and exercise the application on a server before a test run. Use the sarif API to download the SARIF file from Contrast. You can filter the information by application and other metadata to customize the results. To ingest the SARIF file into GitHub Advanced Security, add the following code to your GitHub action file: - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif The Security > Code Scanning tab shows the results.	Uploading a SARIF file to GitHub
Send vulnerabilities from Contrast directly to GitHub issues	Contrast supports the ability to send vulnerabilities to a GitHub repository and report them as issues. Integrate with GitHub explains how to do this.

In this section:

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.