Manage GitHub Events
Learn how to handle Nightfall Events that were created as a result of sensitive data leak in GitHub.
Last updated
Learn how to handle Nightfall Events that were created as a result of sensitive data leak in GitHub.
Last updated
When an end user violates a policy in GitHub, Events are generated in GitHub and you can view these Violations on the Nightfall Event console.
GitHub integration implements Deduplication across GitHub Events. Deduplication reduces the number of distinct Events created for a finding that is already accounted for by an active Event related to the same GitHub branch.
The following table summarises the treatment of a GitHub Event with Deduplication in action when the developer(s) push changes to a file in a GitHub branch.
No existing Event
Introduce sensitive data
New Event Created
Active Event not in a resolved state
Additional code with sensitive data pushed
Increment finding(s) in the existing Event
Create an Event with all the new findings
Active Event not in a resolved state
Code with sensitive findings redacted
Number of findings in the existing Event updated
If no finding remaining then the Event is marked resolved
Event is in a resolved state
Additional code with sensitive data pushed
New Event created
The following table summarises the treatment of a GitHub violation with Deduplication in action when the developer(s) clones/merges a GitHub branch.
No existing Event
Branch Clone
No new Events
Active Event not in a resolved state
Branch Clone
No new Events in the original branch
No Events in the cloned branch
No existing Event
Merge Cloned Branch back or Delete Cloned Branch
No new Events
No existing Event
Merge Cloned Branch back or Delete Cloned Branch
No new Events
Existing Events from the Cloned Branch resolved
When an Event is automatically resolved by the GitHub Deduplication feature (as a result of sensitive data being removed from the concerned GitHub file/repo) the log section of the Event displays a Resolved automatically message as shown in the following image.
To view the on the Nightfall Console:
Navigate to the Detection and Response from the left menu.
(Optional) Modify the days filter to view Events prior to last 7 days. By default the Events recorded in the Last 7 Days are displayed.
Apply filters to view only the GitHub Events.
Click on any of the Events to view details of an Event. You may click anywhere in the row of an Event that you wish to inspect. Details will be present via a side panel.
The second section displays details that are source / integration specific and so the details vary from one integration to the other.
Nightfall allows you to take various action on Events. When you take an action on an Event, the status of the Event changes accordingly. To learn more about Event status, refer to the Event Status document.
In GitHub, you can take actions either from the Event list view page or the Event detail view page. On the Event list view page, you can click the ellipsis menu to view the available list of actions.
On the Event detail view, you can view the applicable actions from the actions section at the bottom.
To view the complete list of actions, applicable to all the integrations, you can refer to the Applying Actions on Events document.
The list of actions supported for GitHub are as follows. Some of these actions are common to other integrations as well.
Copy Event Link: The action copies the link to the Event. You can save or send this link to directly open the Event. This action is available only on the Event detail view.
View in GitHub: This action redirects to the relevant repository that contains the sensitive data in the source GitHub. While this action is available only on the Event detail view, please note that relevant access to the document in source GitHub repository should be present.
Download Original Content: This action downloads the original content that contains sensitive data. If the content is deleted or moved to a different location within GitHub, this action fails. This action is available only on the Event detail view.
Send to JIRA: This action creates a JIRA ticket for the Event. You can pick a project and Issue type while creating the JIRA ticket and can assign the JIRA ticket to the end-user
Acknowledge: You can take this action to notify other users that you have looked into this Event and will take suitable action in future.
Ignore: The ignore action flags Nightfall to ignore all the findings in the Event and may be taken if you find the findings false positive. This action marks the Event as resolved and moves it to the Resolved section. You can undo this action.
Notify Email: This action notifies the end user who added the sensitive data in GitHub about the event, through email.
Notify GitHub: This action notifies the end user who added the sensitive data in GitHub about the event, through GitHub. To learn more about how to check notifications in GitHub, see Viewing Notifications in GitHub.
Resolve: This action must be taken when the sensitive data is removed completely from the source file. This action resolves the Event.
When a data leak occurs, GitHub sends an Email notification to end users, if end users have configured Email as a Notification method in their GitHub account.
Additionally, if Nightfall admins have configured Email Notification in Admin Alerting, Nightfall admins receive the Email notification.
If Nightfall admins have configured Email Notification in the Automation section of End user notification settings, end users receive an email from Nightfall. This Email allows end users to take actions from within the Email.
The Email received from by Nightfall Admins and end-users (if configured), looks as follows.
If you have configured GitHub as a Notification in the Automation section of End User Notification, end users can view the violation notification from within GitHub.
Open the file that triggered the violation. A comment is generated by Nightfall which also has the remediation options. The available options are based on the settings you configured in the Automation section of End User Notification.
If an end-user adds sensitive information in a feature branch and merges it with the main branch, Nightfall comments on this pull request.
If an end-user adds sensitive information in the main branch and commits it, Nightfall comments on this GitHub commit.
The Nightfall comment is created by nightfall-for-github bot.
In the following image, the Nightfall comment has two options; Report as False Positive and Report as False Positive with Business Justification. These options are displayed because they were enabled in the End-User Remediation section of the policy.
Additionally, if end-users have configured GitHub to receive Notifications, they can also view the violation under the Notifications page. This Notification also tags the end-user.
To view the Violation message under GitHub notifications, end-users must execute the following steps.
Click the GitHub Notifications icon.
Select the Notification which has a tag (mention).
Scroll down to view the Notification.
To view Notifications from within GitHub end-users must enable the GitHub notifications. The steps to enable GitHub notifications are as follows.
Click on your GitHub account icon and select Settings.
Click Notifications from the left pane.
Under Subscriptions, enable GitHub notifications for the Participating, @mentions and custom section.
Click Save.
Once you filter the Events to view only the GitHub Events, you can refer to the section to learn more about the available options.
The side panel (or the Event detail view) is divided into three separate sections. The first section has information about the occurrence of individual findings with a preview. The third section is an activity log for the Event. Both these sections reveal information that is common across all sources/integrations. You can refer to these common sections in the section.