Skip to content

Getting Started

Security is added to your code repositories in 3 easy steps:

  1. Install the Github Application
  2. Enable the Scanners
  3. Update the Policies

3 Steps to Security

Install the GitHub Application

Installing the GitHub Application on your organization enables the Boost Security service to access the GitHub API and insert comments on PRs, install and update check statuses, enable the CI/CD and Dependabot security checks, etc...

In order to install the GitHub Application on your GitHub organization, follow these steps:

  • Navigate to the Integration view, i.e. in Settings > Integrations. Select the GitHub integration from the Available section
  • Select Install: You will be directed to GitHub apps to install the Boost Security GitHub app.
  • Select the GitHub organization for which you want to install the Boost Security GitHub app.
  • Select whether to install the GitHub application on All repositories or Only select repositories. It is recommended to install it for all repositories so that it makes it simpler to add the security scanner to new repositories.
  • Select Install and Authorize.

Once the installation is completed, the Boost Security GitHub card is added to the Settings > Integrations > Installed section. At this point, the Boost Security GitHub App is installed on your GitHub organization. You might want to enable the CI/CD pipeline configuration security checks and Dependabot security checks. To do so, go in the installed integration in Settings > Integrations > Installed section, select the GitHub application card, and then the Configuration tab. On the configuration line item for your GitHub organization, select the Dependabot and/or CI/CD toggles to turn on security checks.

Enable the Scanners

Once the GitHub Application is installed, scanner modules can be configured to run in your organization's repositories. This can be achieved by configuring the Boost Security scanner modules leveraging the supported CI plugins, for each repository.

Follow the steps described in Configure Boost Security in your CI in order to configure the scanners in your code repositories.

Update the Policies

Once the required scanners are configured on your code repositories, you can then update or create policies for processing the security events triggered by the scanners, with the policy rules required. A Boost policy allows your security team to define what types of findings are important to them. On the Policy page you can configure what should cause a finding to be a violation. Violations are tracked separately in Boost so you can easily see where repositories are in violation of your policy.

The policy also lets you enable actions when violations occur. These actions can be to alert a developer by adding a comment in a pull request, blocking a pull request from merging, or send a Slack message to a specific channel - just to name a few.

Refer to section for how to create or update policies.

Reviewing the findings

Once Boost starts to receive data feeds, you can explore the results in the Findings page.

You can filter and drill-down through the findings using the filters, allowing you to focus on findings from one or more project(s) (i.e. GitHub repositories) or that were triggered by a specific scanner rule, for example.

For each finding in this page, you can see the rule that detected the finding, the file path and source code lines where it was found, a description and link to the documentation giving more explanation about why this is an issue and how to address it, and more.