Configure GitHub for the Next Generation API Data Protection

To configure GitHub for the Next Generation API Data Protection, follow the instructions below.

GitHub app is now available on the Next Generation API Data Protection platform. Please note the following important points:

The classic version of the GitHub app is now deprecated. New customers can no longer set up a new GitHub app instance on the classic platform. If you need to setup a new instance of GitHub, select the GitHub app available under Next Generation platform.
If you currently use the classic version of the GitHub app, no action required. You should continue to use the classic version that you use today. Netskope will notify you via a banner message on the Netskope tenant UI when you can switch over to the Next Generation app.

Netskope can scan for DLP and threat protection on plain text source code only. Netskope does not scan binary files such as Microsoft Office docs, PDFs, images, executable files, and likes. Each section of a commit that includes any violations will result in a unique incident with a URL linking to that section of the commit. To view a DLP incident, navigate to Incidents > DLP, look for a GitHub incident, and click it.

If you have set up IP restrictions for your GitHub organization, make sure to allow requests from the installed Netskope CASB API app. This is necessary for Netskope to access your GitHub organization. To learn more: Allowing access by GitHub apps.
Alternatively, you may add the appropriate Netskope IP ranges to your organization as described in this article. For a list of Netskope IP address ranges, see NewEdge Consolidated List of IP Ranges for Allowlisting (requires a log in credential. If you do not have one, contact support@netskope.com.)

Prerequisite

Before configuring GitHub for the Next Generation API Data Protection, review the prerequisites.

You require a GitHub Enterprise Cloud edition.
A GitHub account who is either a member or owner of your GitHub organization.
If you have guest or external users in your SaaS environment belonging to domains considered internal, you must set the appropriate internal domains for Netskope to classify exposure accurately. To set up internal domains, follow this article.

The API integration continues to work even after you delete the member or owner of your GitHub organization.

Install the Netskope CASB API App in GitHub

To install the Netskope CASB API app in the GitHub organization, follow the steps below:

You should log in as an owner of the GitHub organization.

Log in to www.github.com using your GitHub organization account.
Install the Netskope CASB API app from the following URL: https://github.com/apps/netskope-casb-api.
Click Install.
Select the organization name > All repositories and click Install.

To know more about the permissions, see Permissions Required for GitHub.

Keep the installation options unchanged.

Once installed, you should see a successful message at the top of the page. Proceed to configure the GitHub instance in Netskope UI.

Configure GitHub Instance in Netskope UI

To authorize Netskope to access your GitHub instance, follow the steps below:

Log in to the Netskope tenant UI and go to Settings > Configure App Access > Next Gen > CASB API.
Under Apps, select GitHub and click Setup CASB API Instance.

The Setup Instance window opens.
Enter the GitHub organization name.

The organization name should be the same as the one you installed the Netskope CASB API app on. It is case-sensitive.
Under Administrator Email, enter the email address of the user who will receive an email notification when a policy violation or event triggers. This step is optional.
Under Instance Name, enter a name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.
Click Grant Access. You will be prompted to log in with your GitHub member or owner of your GitHub organization username and password, and then click Sign In. When the configuration results page opens, click Close.

Refresh your browser, and you should see a green check icon next to the instance name.

At this point, if need be, you can delete the user who granted access to Netskope from your GitHub organization.

Next, you can can view the Next Generation API Data Protection Inventory page to get deep insights on various entities on your GitHub environment. For more information on the Inventory page, see Next Generation API Data Protection Inventory.

You can receive audit events and standard user behavior analytic alerts in Skope IT. To know more: Next Generation API Data Protection Skope IT Events.

Next, you should configure a Next Generation API Data Protection policy. To do so, see Next Generation API Data Protection Policy Wizard.

(Optional) Uninstall the Netskope CASB API App in GitHub

You can skip this procedure if you continue to use GitHub for the Next Generation API Data Protection.

If you discontinue the integration between GitHub and Next Generation API Data Protection, first, you have to delete the GitHub instance from the Netskope tenant UI. Then, uninstall the Netskope CASB API app from GitHub.

You can uninstall the Netskope CASB API app. To uninstall the app, follow the steps below:

Log in to www.github.com using your GitHub administration username.
On the top-right, click Settings.
On the left navigation, click Organizations.
Identify the organization where you have installed the GitHub app and click Settings.
On the left navigation, click GitHub Apps.
Identify the GitHub app and click Configure.
Scroll down to the Uninstall <app name> section and click Uninstall.

Once you uninstall the app, Netskope stops receiving any notifications from GitHub.

Configure GitHub for the Next Generation API Data Protection