Guides
API ReferenceMCP Guides
Start typing to search…

GitHub - Proactive Governance Scanner

This user guide will take you through configuring the proactive governance scanner in CoreStack.

Introduction

The Proactive Governance Policy Scanner is a governance and compliance solution designed to enforce best practices, security controls, and operational standards during resource provisioning across cloud environments (AWS and Azure). Its goal is to ensure that resources are deployed securely, cost-effectively, and in alignment with organizational policies before provisioning occurs.

Onboard a GitHub Account

Perform the following steps to onboard a GitHub account for proactive governance scanner:

1. Click Settings

On the left navigation pane, click Settings.

2. Select "Integrate Tools"

Click to select Integrate Tools.

Select 'Integrate Tools'

3. Alternative Tool Onboarding Step

Alternatively, to onboard a GitHub tool account, on the left navigation pane, click Governance, Account Governance, and then click Tools.

Alternative Tool Onboarding Step

4. Click "Onboard Now"

To begin onboarding a new tool integration account, click Onboard Now. After this step, the onboarding steps are same irrespective of where you started the tool account onboarding.

Click 'Onboard Now'

5. Click "Add New"

To start adding a new GitHub tool account, in the Source Code Management box, click Add New.

Click 'Add New'

6. Select Tool Account Scope

In the Prerequisites step, in the Select Tool Account Scope field, select either Tenant or Account.

  • Tenant: If you select this option, then the tool account will only be available in the tenant it's onboarded to.
  • Account: If you select this option, then the tool account will be available in all tenants under your platform account.

7. Proceed to Next Step

Click Next to continue to the next step.

8. Select Authentication Protocol

In the Select Authentication Protocol field, select either Personal Access Token or GitHub App.

  • Personal Access Token: This is a secure method used in GitHub integrations to authenticate API requests by replacing your password with a token.
  • GitHub App: This method uses a GitHub App to interact with the API on behalf of a user or an organization.
Select Authentication Protocol

9. Select "Personal Access Token"

If you select Personal Access Token, then fill the following fields and click Save & Validate.

  • Organization Name
  • Auth URL
  • Personal Access Token
Select 'Personal Access Token'

10. Select "GitHub App"

If you select the option GitHub App, then fill the following fields and then click Save & Validate.

  • Organization Name
  • GitHub App ID
  • Installation ID
  • Auth URL
  • Upload Credentials File (PEM): In this field, users can click Select File and then choose a file to upload it.
Select 'GitHub App'

11. Click "Next"

After filling all the details, click Next to proceed to the Basic Settings step.

12. Update "Additional Account Details" Section

In the Account Name box, you can update the account name and in the Description text box, type the account details.

Update 'Additional Account Details' Section

13. Select "Governance Scanner"

Click to select Governance Scanner to enable scanner settings. The Governance Scanner automatically analyzes configuration files related to cloud resource provisioning, such as Terraform, in every pull request (PR). It evaluates the changes against predefined rules and guardrails, ensuring compliance and governance. A detailed comment is then posted directly in the pull request, summarizing both compliance issues and cost insights. This helps teams make informed decisions before deploying infrastructure.

Select 'Governance Scanner'

14. Select "Privacy Policy"

Select the Privacy Policy checkbox.

15. Continue to Next Step

Click Next to move forward in the tool account onboarding process.

16. Advanced Settings (Optional Step)

The Advanced Settings step is an optional step and based on need, users can make the relevant configuration in this step. In this step, users can make Governance Scanner Configuration and can add custom tags. If no configuration needs to be made, then users can skip this step and click Finish to complete the tool onboarding.

17. Click "Configure"

To configure governance scanner, in the Advanced Settings step, in the Governance Scanner Configuration section, click Configure.

Click 'Configure'

18. Select "GitHub Repositories"

In the Tools Configuration page, in the GitHub Repositories drop-down list, select the applicable repositories for the governance scanner and then click Ok.

Select 'GitHub Repositories'

19. Enable Auto-Provisioning

Click Enable Auto-Provisioning to automatically scan pull requests when they are created. The auto-provisioning option helps to execute all relevant actions as per the details provided in the Terraform file in GitHub pull requests. Therefore, when the Terraform files are executed, resources are deployed in cloud accounts accordingly. When the scanner rules are run on the Terraform files and if any violations are found, they are reported in GitHub. If AWS EC2, AWS RDS, and Azure virtual machines have some associated cost, then users will be able to view the cost details in GitHub pull requests.

Enable Auto-Provisioning

20. Scanner Rules

The Scanner Rules table shows the list of governance scanners. All the pull requests are scanned as per these scanners and violations are reported back in GitHub. Users can also use the search box to search for any specific scanner rules.

Scanner Rules

21. Example of GitHub PR

For example, refer to this pull request (PR) in GitHub. This pull request clearly shows the expected values and the violated values. The violation details are reported here in GitHub after the scanner rules are run.

Example of GitHub PR

22. Enable/Disable Scanner Rules

Under the Rule Status column, users can move the slider towards left or right to enable/disable a scanner rule.

Enable/Disable Scanner Rules

23. Disable Rule

For example, disable a scanner rule that will not be scanned for.

Disable Rule

24. Update Attributes

Click the pencil icon to modify attribute for a rule.

Update Attributes

25. Save Changes

In the dialog box that appears, make the updates and click Save to apply the changes.

Save Changes

26. Update Attributes

Click the pencil icon to update additional values for any scanner rule. The scanner rules follow the attributes that are set and any deviation in values are reported back in GitHub.

Update Attributes

27. Click "Save & Apply"

Click Save & Apply to save the configuration.

Click 'Save & Apply'

28. Add Custom Tags

To add custom tags, in the Key box, type the tag key and in the Value box, type the tag value. After this, click Add Tag. The custom tag is added and it appears below.

To remove a custom tag, just click the cross (X) symbol.

Add Custom Tags

29. Click "Finish"

To complete the tool account onboarding, click Finish.

View Tool Account

The new GitHub tool account is displayed on the Integrated Tools page. Users can view the tool account details in these columns -- Tool Account Name, Scope, Account Status, Credential Status, Product List, Onboarded By, Onboarded Date, and Actions.

View Tool Account

The top cards on the Integrated Tool page shows -- Active and Governed Accounts, Accounts with Invalid Credentials, and Deactivated Accounts.

Users can click the Filter icon to show or hide the ADD+ custom filter and apply it to view specific accounts.

Apply Filter

Users can use the search box to search for any tool account and they can click the download icon to download the tool account details.

Source Code Management

If you need to look at your existing GitHub tool account, then on the Integrated Tools page, on the left navigation pane, click Source Code Management and then click GitHub.

Source Code Management

Actions on GitHub Tool Account

Under the Actions column, click the ellipses corresponding to a GitHub tool account and take any of the following actions:

  • View
  • Edit
  • Deactivate
  • Delete
Actions on GitHub Tool Account

View Tool Account Details

Click the ellipses and select View to view the tool account details.

View Details Tab

The Tool Account Summary page shows two tabs --- Details and Governance Scanner. The Details tab shows details in these sections -- Cloud Account Details, Credentials, and Basic Settings.

View Details Tab

View Governance Scanner Tab

The Governance Scanner tab shows details in these sections -- Applicable GitHub Repositories, Auto-Provisioning, and Scanner Rules.

Edit Tool Account Details

Click the ellipses and select Edit to make changes to the tool account details.

Make Updates & Finish

You can make the relevant updates and click Finish to save the updates.

📘

Note: Use the Next button to navigate between steps and make the updates.

Deactivate Tool Account

To deactivate a tool account, click the ellipses and select Deactivate. A dialog box appears and you can click Yes to deactivate the tool account, else you can click No.

Delete Tool Account

To delete a tool account, click the ellipses and select Delete. A dialog box appears and you can click Yes to delete the tool account, else you can click No.


Updated 1 day ago