Page 1 Software Assurance Marketplace How to Set Up a GitHub Webhook with SWAMP The Software Assurance Marketplace, February 19, 2019 This document describes how to set up a GitHub webhook with the SWAMP, which involves creating a package in the SWAMP from a Git repository, configuring a GitHub webhook with a package version in the SWAMP, and scheduling SWAMP assessments to trigger with GitHub commits. Step 1. Create a new package in the SWAMP using a GitHub repository URL a. In GitHub, click the Clone or download button and copy the URL.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1 Software Assurance Marketplace
How to Set Up a GitHub Webhook
with SWAMP The Software Assurance Marketplace, February 19, 2019 This document describes how to set up a GitHub webhook with the SWAMP, which involves creating a package in the SWAMP from a Git repository, configuring a GitHub webhook with a package version in the SWAMP, and scheduling SWAMP assessments to trigger with GitHub commits.
Step 1. Create a new package in the SWAMP using a GitHub repository URL
a. In GitHub, click the Clone or download button and copy the URL.
Page 2 Software Assurance Marketplace
b. In the SWAMP, create a new package using the Remote Git repository option, and paste the copied URL from GitHub into the External Git URL field.
c. Click Next and complete the remaining steps to finish creating and uploading the package to the SWAMP. The SWAMP will clone the branch from GitHub to create a new package.
Page 3 Software Assurance Marketplace
Step 2. Configure the webhook in GitHub and SWAMP
a. In the SWAMP, open the package and click the Edit button.
b. Copy the Payload URL from the SWAMP package to paste into GitHub.
Page 4 Software Assurance Marketplace
c. In GitHub, add a webhook under the Settings tab > Webhooks > Add webhook.
d. Paste the Payload URL from the SWAMP into GitHub.
Page 5 Software Assurance Marketplace
e. In the SWAMP, click the Generate button, and copy the Secret Token to paste into GitHub. Click the Save Package button to save the Secret Token that was just generated.
f. In GitHub, paste the Secret Token from the SWAMP into the Secret field. Click the Add Webhook button to save the configuration.
Page 6 Software Assurance Marketplace
g. Use the default settings for the other options and click Add webhook. i. Content type must be “application/x-www-form-urlencoded.” ii. Enable SSL verification should be enabled. However, if your webhook is
for a SWAMP-in-a-Box that has self-signed certs, you may need to disable SSL verification in order to get the webhook to work.
iii. Just the push event. has been tested by the SWAMP. Let me select individual events. can be used to select other events to trigger the webhook (e.g. branches, releases) but has not been tested.
iv. Active must be checked for the webhook to function.
h. For troubleshooting, reopen the webhook in GitHub and view Recent Deliveries.
i. Your webhook is now in effect. A new package version will be added to the SWAMP when the webhook is triggered. The new package version has the same source, build, and sharing settings as the previous version.
Page 7 Software Assurance Marketplace
Step 3. Create a new assessment and schedule it to run in SWAMP
a. In the SWAMP, create a new assessment by clicking the Run New Assessment button. Choose the project, package (version must be “latest”), tool(s), and platform, and click the Save button to save the assessment.
b. Select the desired assessments by checking the checkboxes, and click the Schedule Assessments button.
Page 8 Software Assurance Marketplace
c. Select On push to run an assessment in the SWAMP with every push to GitHub, or create a new schedule to run the latest version at a specific time.
Select Add New Schedule to run assessments on a scheduled basis, such as Daily at 10:00 PM, and then click the Add Request button. (The latest package version in the SWAMP will be assessed at the scheduled time.) Save your schedule and select it instead of “On push” on the Schedule Assessment Runs page.
d. To receive a notification email from the SWAMP when the assessments finish, click the Notify me checkbox, and then click Schedule Assessments.
Page 9 Software Assurance Marketplace
e. Confirm that the desired Scheduled Runs are displayed.
Step 4. Example
a. A commit in GitHub triggers the webhook. The branch that is pushed to is the branch that is cloned and added as a new package version in the SWAMP.
Page 10 Software Assurance Marketplace
b. A new package version is created in the SWAMP. The version is labeled with the GitHub branch. Source, Build, and Sharing settings for the new version are copied from the previous version.
c. The On push schedule runs the assessments in the SWAMP.
Related Documents
