Managed scanning
Managed scanning makes it easy to run Coana scans across multiple GitHub repositories. There are two ways to set up managed scanning:
-
- Coana automatically adds and manages GitHub workflow files in your repositories
- Uses your own CI runners to run scans
- Does not require access to your source code
-
- Coana handles the scanning process end-to-end
- Repositories are cloned and scanned on Coana-managed machines
Auto Deployment
Notice: When scanning is enabled for a repository, the auto-deployment GitHub app will create or update two workflow files:
.github/workflows/coana-regular-scan.yml.github/workflows/coana-guardrail.yml
Requirements
- The app must have access to the repositories you wish to scan.
- For repositories with a protected default branch (either via branch protection or rulesets), you’ll need to grant the app bypass permissions. See instructions below for details.
installation
Go to Settings → Integrations, scroll to the ‘GitHub Managed Scan Integration’, and click the “Connect to GitHub” button.
Click “Install” and select your organization
If you mistakenly install the app on your personal account or the wrong organization, then simply uninstall the app and start the process over.
Select repositories
Either select “All repositories” or “Only select repositories” depending on your specific needs. You can always add or remove repositories from the installation using Settings → Integrations later (see the help section below for more details).
Important: Selecting ‘Only select repositories’ instead of ‘All repositories’ means Coana cannot automatically add workflow files when new repositories are created in your organization.
Click “Install & Authorize”
Wait for the redirect back to Coana.
Usage
Managed scanning can be configured from the Managed Scan page in the dashboard.
Each repository has a toggle in the scanning enabled column that lets you enable or disable scanning.
Some repositories require custom setup steps before running a Coana scan. For example, if your repository uses packages from a private registry, you’ll need to configure authentication and package installation first.
To add custom setup steps:
- Click the ‘Configurations’ button
- Click ‘Create Configuration’
- Fill out the configuration details
- Click ‘Save’
Once saved, you can apply the configuration to repositories by selecting it from the dropdown in the ‘configuration’ column.
Help
How to add the app to the bypass list
For branch protection rules follow these instructions.
- If “Require a pull request before merging” is enabled, also enable “Allow specified actors to bypass required pull requests” and add the Coana Auto Deployment app to the list of actors.
- If “Restrict who can push to matching branches” is enabled, unfortunately it is not possible to add the auto deployment app to the list of people, teams, or apps with push access. We recommend that this option is turned off -or- that you switch to using ruleset to manage branch protection.
- More information: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
For rulesets, follow these instructions.
- Locate the ruleset protecting the default branch. Add the Coana Auto Deployment app to the “Bypass list” in the top section of the page.
- If it’s an organization ruleset, contact the admin and have them add the Coana Auto Deployment app to the “Bypass list”.
- More information: Granting bypass permissions for your branch or tag ruleset
How do I uninstall and manage repository access for the Coana Auto Deployment app?
To modify repository access or uninstall the Coana Auto Deployment app:
- Go to the Integrations → page
- Find the managed scan section
- Click the “Configure on GitHub” button
On the GitHub configuration page, you can:
- Change which repositories Coana can access
- Completely uninstall the app
Coana Supplied Runners
Managed scanning with Coana supplied runners is not yet available.