GitHub Enterprise (On-Prem) - Administrator Guide - Cortex Cloud Posture Management - Cortex CLOUD

Cortex Cloud Runtime Security Documentation
Product
Cortex Cloud Application Security > Cortex CLOUD
License
Cloud Runtime Security
Creation date
2024-12-24
Last date published
2026-06-16
Category
Administrator Guide

Integrate Cortex Cloud Application Security with your GitHub Enterprise (On-Prem) version control system (VCS) to enable security scans for exposed secrets, infrastructure-as-code (IaC) misconfigurations, vulnerabilities, package operational risks, and license compliance issues in your repositories. This integration allows you to analyze, prioritize, and resolve detected issues efficiently.

Architecture and connectivity

While never strictly required, deploying a Transporter over a Broker VM is recommended for isolated environments where the Cortex Cloud platform has no direct way to reach your internal enterprise resources. In these scenarios, the Transporter solves the connectivity problem by:

  • Living inside your network as an applet on the Broker VM

  • Initiating an outbound WebSocket connection to the cloud, meaning no inbound firewall rules or direct IP access are needed

  • Proxying requests from the cloud to internal resources, allowing Cortex Cloud to perform secure code scanning without exposing your internal network to the public cloud

For more information on Transporter, refer to Transporter over Broker VM.

If your GitHub Enterprise instance is already internet-accessible or managed via existing connectivity solutions (such as a VPN or network peering), the Transporter is not needed.

How to integrate GitHub Enterprise (On-Prem)

Prerequisite

Before you begin:

  • GitHub permissions: You must have Organization Owner permissions to install the Cortex application. Users with only repository-level admin permissions cannot complete the installation unless the organization explicitly allows non-owners to install GitHub Apps (in this instance the Cortex application)

  • Scope: The Cortex application requires the following authorization scopes:

  • Onboarding port: Port 443 is required for all on-premise onboarding for outbound HTTPS communication to Cortex Cloud. If the Transporter is used, it specifically uses port 443 for its WSS tunnel

Onboarding steps

  1. In the Cortex Cloud tenant.

    2. Search for GitHub Enterprise (On-Prem), hover over it, and click Add, or Add Another Instance if an instance is already onboarded.

    3. Enter your domain in the Configure Domain step of the wizard.

      Note

      The domain is the hostname associated with your GitHub Enterprise (On-Prem) instance.

    4. Optional: Connect a Transporter: Select your Broker VM and associated Transporter applet from the provided menus.

      Note

      For more information about the Transporter, including setup instructions, refer to Transporter over Broker VM.

    5. Click Register.

      You are redirected to your GitHub Enterprise (On-Prem) instance to register Cortex AppSec as an OAuth application. Additionally, the Register OAUTH App step of the integration wizard is displayed.

    6. Copy the Application Name, Homepage URL and Authorization Callback URL values from their respective fields.

  2. On the Register a new OAuth application screen of the GitHub Enterprise (On-Prem) console:

    1. Paste the values copied in step 1d above in their respective fields.

    2. Click Register application.

    3. Once created, copy and save the the Client ID and Client Secret values for the new Cortex AppSec application.

      Click Authorize to complete the setup.

  3. On the Cortex Cloud console.

    1. Select Next on the the Register OAUTH App step of the integration wizard.

      The Set Client ID and Secret step of the wizard is displayed.

    2. Paste the Client ID and Client Secret values copied in step 2c above, and click Authorize.

    3. Under Selection Options of the Select Repositories step of the wizard, choose the repositories to be connected to the instance:

      • Permit all existing repositories

      • Permit all existing and future repositories

      • Choose from repository list and select repositories from the list

    4. Click Save.

    5. Click Close on the final step of the wizard.

      Note

      Ensure that you receive the Instance Successfully Created message on this step, indicating successful instance creation.

  4. Verify integration:

    1. On the Data Sources & Integrations page, search for GitHub Enterprise (On-Prem).

    2. Hover over and select the resulting entry.

    3. Locate your instance and verify that the status of your GitHub Enterprise (On-Prem) instance is Connected.

  5. View repository assets and mitigate detected issues.

Subscribed events

The following list describes events that Cortex Cloud Application Security monitors on your GitHub Enterprise (On-Prem), covering actions and changes that trigger notifications and integrations.

  • Repository events: All events related to repositories

  • Organization events: Includes ['organization', 'membership', 'team'] events

Manage data source integrations

Manage integrations to align with evolving requirements and ensure they remain current.

  1. Navigate to SettingsData Sources & Integrations and use the Vendor filter to located the required integration.

  2. Select your vendor from the list.

    The integrated instances for the selected vendor are displayed.

  3. Right-click on an instance and select an option:

    • Edit instance: Redirects to the Select Repositories step of the integration wizard, where you can modify configurations for the selected instance. For more details, refer to the relevant integration guide

    • Delete instance: When confirmed, deletes the instance, including data from previous scans

    • Copy entire row – Copies all column values for the selected row to the clipboard.