To integrate with GitHub, Jit requires a dedicated repository to host the product security plan, as well as the installation of the Jit GitHub application. These prerequisites allow Jit to manage the security plan as code, execute code security tools using GitHub Actions, and avoid pulling the user source code into Jit's cloud. Jit GitHub application installation requires owner approval.
- Click the Create Repository link to go to the GitHub's repository creation page and create a repository with the following specifications.
- Template: None.
- Owner: The organization you want to monitor. When the Jit GitHub app is installed later in this process, it gets access to the organization selected here.
- Repository name:
- Visibility: Private.
- Initialize this repository with: None of the listed options.
- Return to the Jit platform, and select Yes, I Created .jit Repository.
When installed, the Jit GitHub app receives the following minimal set of permissions in GitHub:
- Write access to dedicated Jit files— Allows Jit to manage Jit files on your repositories.
- Read access to administration, code, issues, and metadata— Allows Jit to read the code on monitored repositories.
- Read and write access to actions, checks, pull requests, and workflows— Allows Jit to trigger workflows in the .jit repository, create and update PR checks, create and update pull requests, and modify workflow files.
- Read and write access to content— Allows Jit to detect vulnerabilities in code and open remediation PRs (on a new branch).
- (Required only for future features) Read and write access to deployment— Allows Jit to run security requirements on new deployments and block deployments based on security findings.
- Select Install.
- Select the organization where you created the
.jitrepository in the previous step.
Selecting any organization other than the one where you created the
.jitrepository will result in installation failure.
- Select whether to install Jit GitHub app to All repositories or Only select repositories. If you do choose the Only select repositories option, the
.jitrepository must be selected in addition to the repositories you wish to monitor.
Jit recommends selecting All repositories.
Repositories can later be excluded from the product security plan if you do not wish to protect them with Jit. Furthermore, with the selection of All repositories newly created repositories will be automatically protected by Jit.
- Select Install to proceed. If this option is not visible, see the note below.
Not the GitHub Organization Owner?
If you are not logged in to GitHub as the organization owner, this page presents a Request rather than an Install option.
Select Request to send a notification email to the GitHub organization owners. This email contains a link to this page, where the owner may complete installation by selecting Install.
The onboarding wizard displays a waiting state until the installation is complete. Your progress in the onboarding process is preserved, even if you log out of the Jit platform.
- Select Next to proceed to activate your security plan.
- Use the Select repository dropdown to choose a repository to start monitoring with Jit.
- Select Start monitoring.
Jit automatically activates the Scan Code for Hard-Coded Secrets security requirement on your selected repository and creates a hello world pull request. You can view this process in action on the Pipelines Page, where you have the additional option to create a test pull request containing a secret in order to verify detection accuracy.
If you have third-party products/services you would like to integrate with Jit (such as Slack or AWS) proceed to Integrating With Third-Party Products and Services. Otherwise, continue to My Plan to activate your security requirements.
Updated about 2 months ago