Learn the process of configuring the Scope section while creating a Nightfall policy in Nightfall or GitHub.
The Scope stage allows you to select a GitHub org in which you can the policy can be created.
To configure Policy Scope:
Click + Org and select the GitHub org.
Select one of the following options under the Include in Monitoring section. The scope of this policy is limited to only those repositories which you select in this section.
All Repositories: This option adds all the repositories (public and private) in your GitHub org to the policy scope.
Public Repositories: This option adds all the public repositories in your GitHub org to the policy scope.
Private Repositories: This option adds all the private repositories in your GitHub org to the policy scope.
The Total Monitoring Scope section displays the number of GitHub repositories that will be monitored, based on your selection.
The Exclude Repositories section allows you to exclude repositories, files, and directories from the policy scope. It is optional and you can proceed without configuring this section, if you wish to maintain the scope of the policy to all the repositories and its directories, selected in Step 2.
Select a method to exclude repositories.
Select Repository: This option displays a drop-down menu of all the repositories selected in Step 2. You can directly select any repository to exclude it from the scope of the policy.
Enter pattern to exclude: Select a text pattern to be matched for excluding repositories from policy scope.
Starts With: All repositories that start with the mentioned text will be excluded.
Ends With: All repositories that end with the mentioned text will be excluded.
Contains: All repositories that contain the mentioned text will be excluded.
File Extension Exclusion: Select a file extension. All the files with the selected extension are excluded from the policy scope.
Directory Exclusion: Enter a regular expression pattern to match a directory and file path. All file directories and file paths that match the pattern are excluded from the policy scope. All standard regular expressions are accepted, and you can refer to the documentation here for examples of regular expressions. You can also refer to this link to generate regular expressions.
To learn more about how to use regular expressions to exclude GitHub directories, see Use Regular Expressions to Exclude GitHub Directories.
Click Next.
Consider that you wish to scan all public repositories of your GitHub account with Nightfall. However, there are a few public repositories that were created for testing purposes. These test repositories contain the word "test" in their names. You can use the Repository Exclusion drop-down menu to choose each repository that contains the word test. However, this task can be cumbersome.
You can use the Enter pattern to Exclude menu with the Contains option and enter the term test in the field as shown in the following image.
Consider another scenario in which you wish to include all the repositories but wish to exclude files with the "cert" extensions. You can accomplish this as shown in. the following image.
Learn how to use regular expressions to exclude specific GitHub repositories, while configuring the scope section in Nightfall for GitHub.
GitHub file paths do not contain the GitHub org name or repository names. They only contain the folder name(s) and file name. Hence a regular expression to match GitHub directories must only contain characters to just match the folder name and file name.
These are the files that are directly located under a repository. They are not nested under any repository folders. If the file name is abcd.py and the repository name is Python repository, in a GitHub org called Python Project, then the file path would be Python Project/Python repository/abcd.py. However, as mentioned above, GitHub file paths do not include the GitHub org name and repository name, and hence the file path would just be abcd.py in this case.
To exclude all such files (.py), you must create the regular expression as follows.
Similarly, to exclude any other file types, you must replace py
in the above pattern with your respective file extension.
You can match files nested under repositories, by using the escape sequence character (\) for every level of nesting. An escape sequence character is required to match a forward slash (/) used in directories.
For instance, to match a file abcd.py under the folder first (effective GitHub file path is first/abcd.py), you must use the following regular expression.
The above expression matches all the files under the first folder and not just the abcd.py. To match only Python files (.py extension), you must use the following regular expression.
To match only the abcd.py file, under the first folder, you must use the following regular expression.
To exclude all the files under a directory, you must match the entire directory. Consider that a directory is first/second. You wish to exclude all the files under this directory. Also, in this case, you must use the escape sequence character twice, since there are two levels of nesting and as a result, two forward slashes.
This regex matches and excludes all the files under the directory.
Similarly, to exclude files nested at multiple levels, you can use escape sequence character-based matching.
This cheat sheet displays the regex to be used for various scenarios.
You can use this link to generate a regular expression that exactly matches your requirements.
Match | Regex | Comments |
---|---|---|
first/abcd.py
Match a file called abcd.py under a directory called first.
first/abcd.py, first/efgh.py, first/ijkq.py
Match any file with .py extension under a directory called first.
first/abcd.py, first/abcd.java, first/abcd.cpp
Match any file under a directory called first.
first/second/abcd.py
Match a file called abcd.py under a directory called second, which is nested under another direcory called first.
first/second/abcd.py, first/second/efgh.py, first/second/ijkq.py
Match any file with .py extension under a directory called second, which is nested under another direcory called first.
first/second/abcd.py, first/second/efgh.java, first/second/ijkq.cpp
Match any file under a directory called second, which is nested under another direcory called first.
abcd.py
Match a file called abcd.py which is located directly undet the repository and not under any folder.
abcd.py, efgh.java, ijkq.cpp
Match any file which is located directly undet the repository and not under any folder.