Describe the bug
The code scanning event type definition is too greedy. The definition also captures secret scanning alerts. This causes difficulties when searching based on event types.

To Reproduce
Steps to reproduce the behavior:

1. Search for `eventtype="GitHub::SecretScanning"
2. Expand the eventtype field for any result
3. Notice that all the findings come back with both the GitHub::SecretScanning and GitHub::CodeScanning event types

Expected behavior
Any event which is a secret scanning event should only return with the event type of secret scanning

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

Describe the bug
I've installed this add-on from Splunkbase on a 9.0.1 and 9.0.0 environments and in both cases the "GitHub Enterprise Audit Log Monitoring" modular input, as shown in the screenshot in ghe_audit_logs.MD of this repo, is appearing post installation. Am I missing a step?

To Reproduce
Steps to reproduce the behavior:

1. Install from Splunkbase
2. Go to data inputs
3. "GitHub Enterprise Audit Log Monitoring" modular input is not listed

Expected behavior
"GitHub Enterprise Audit Log Monitoring" modular input should be listed

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

Describe the bug
This tripped an alert of mine that looks for errors with SavedSplunker in the internal logs

07-28-2022 06:01:04.168 +0000 ERROR SavedSplunker - savedsearch_id="nobody;github_app_for_splunk;generate_user_access_lookup", message="Error in 'outputlookup' command: The lookup table 'last_access_by_user' is invalid.". No actions executed

To Reproduce
Install app, and wait 24 hours for scheduled search to get triggered, and look in internal logs for failures.

Expected behavior
The app should ship with a transforms.conf entry with the lookup to generate it.

Describe the bug
On the repository audit dashboard, the tab to view Workflow runs is titled Actions, which is incorrect.

Expected behavior
Use consistent naming and update it to Workflows, not actions.

Is your feature request related to a problem? Please describe.
GitHub data is very rich and I'd like to better understand the flow of development. Value Stream Analytics covers this by measuring the time is takes for certain phases of development to be completed.
*Accept: The time it takes for requested work to be accepted and planned.
*Start: The time it takes for work to go from planned to actively being worked on.
*Merge: The time it takes for work to be to be requested for merging.
*Review: The time it takes for merge requests to be completed.
*Testing: The time it takes for work to process through the CI/testing pipeline.
*Pending: The time it takes for completed work to be deployed to production.
*Total: The total time it takes for work to go from idea to production.

The dashboard value_stream_analytics.xml refers to an eventtype GitHub::Release.
But this eventtype is missing from the eventtypes.conf

Is your feature request related to a problem? Please describe.
Not related to a problem. New dashboard request.

Describe the solution you'd like
The current Code Scanning dashboard shows the "time to remediation" column for fixed alerts. It would be nice to have a dashboard that tracks the overall MTTR for Code Scanning alerts.

There are a few requirements:

• Sort and filter by repo, org, and code scanning tool
• Show a trend of the MTTR over time

Describe the bug
The configuration link in the app sends to a blank page :
https://xxx.splunkcloud.com/en-US/app/github_app_for_splunk/configuration

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Config'
2. Click on 'Configuration'
3. See a blank page

Expected behavior
I want to see the configuration part of the app.

Desktop (please complete the following information):

• OS: Mac OS Ventura 13.3.1
• Browser : safari 16.4 and Chrome 113.0.5672.92

Describe the bug
Data for dependabot alerts gathered from Github Webhooks returns no results despite their being data in the index.

To Reproduce
Steps to reproduce the behavior:

1. Set-up a Github Webhook to push to Splunk via HEC as per the instructions
2. View Dependabot Alerts under the Advanced Security tab

Expected behavior
Data related to dependabot alerts should be shown, there is nothing shown.

Desktop (please complete the following information):

• OS: OSX 12.4
• Browser Brave
• Version 1.39.122

Additional context
The issue is due to the fact that the events sent in the Webhook do not contain an "eventtype" field which is the first field the base search filters on hence it gets no results. It's not even documented on the official docs: https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#repository_vulnerability_alert

To fix it, for Github Cloud at least, I had to change base search to match on the valid actions values and that and action.id field is set as follows:

`github_webhooks` action IN ("create", "dismiss", "resolve") | where isnotnull("action.id") | | eval action='action',...

This seems to be a persistent problem with a lot of the other dashboards that the basesearch is looking for some qualifier that doesn't exist.

Describe the bug

"Account Type" not mentioned in the installation steps(https://github.com/splunk/github_app_for_splunk/blob/main/docs/ghe_audit_logs.MD
) but it is mentioned in Splunk Data inputs

To Reproduce

Install steps (Inputs)

Expected behavior
A clear and concise description of what you expected to happen.

Additional context

• Can i get some instruction how to find github "account type" (organization or enterprise) with example?

Describe the bug
Within GitHub Enterprise, the Monitoring dashboards appear in a top to bottom order all on one page. However in Splunk, the different segments are split into separate dashboards. With that, they appear in alphabetical order in the navigation menu unlike the order they appear in GitHub Enterprise.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'GitHub App for Splunk'
2. Click on 'Enterprise Server Monitor' navigation menu
3. See error

Expected behavior
It would be expected that they appear in the same order in the navigation as they do on the Monitor page in GitHub Enterprise Server.

Is your feature request related to a problem? Please describe.
No problem; related to a feature request. Would like to have a Dependabot finding dashboard similar to Code Scanning and Secret Scanning dashboards

Describe the solution you'd like
A dashboard which populates the findings that were surfaced by Dependabot. Dependabot is an SCA tool which gives users visibility into vulnerabilities found in 3rd party open source packages. Providing an overview dashboard which illustrates the current status of Dependabot findings helps users understand their current security posture.

The dashboard should be filterable by org and repo. It should include a chart that shows counts of CVE (debatable). It should also contain a matrix of all findings related to the filters applied.

Please reference the Code Scanning and Secret Scanning dashboards to match the general user experience.

Is your feature request related to a problem? Please describe.
With GitHub adding Audit log streaming as a service, please make sure that those events will work alongside audit log events collected via the GitHub Audit Log Monitoring Add-On for Splunk or via syslog forwarding from GitHub Enterprise Server.

Describe the solution you'd like
Streamed audit logs appear in the Audit dashboards

Describe alternatives you've considered
n/a

Additional context
n/a

Describe the bug
Workflow Analytics Tab: Should it be queueTime instead of queTime in the overview pane? Not native English speaker, but it stood out to me.

To Reproduce
Steps to reproduce the behavior:

1. Go to the workflow analytics and see the naming there :-D

Expected behavior
Change the naming if that should be the correct text

Screenshots

Desktop (please complete the following information):

Additional context
I think the definition file is here: https://github.com/splunk/github_app_for_splunk/blob/main/github_app_for_splunk/default/data/ui/views/workflow_analytics.xml

If it helps and someone thinks we should change the 'field' title, I can create a PR for it?

Describe the bug
Do you have any suggestions or troubleshooting steps why "Audit Log Activity" is not showing any data? It seems existing SPL is not working

Activity Map by Actor Location"
Activity Count by Actor Location
Are there any additional steps needed from our end?

To Reproduce
Steps to reproduce the behavior:

Expected behavior

As per splunk https://splunkbase.splunk.com/app/5596/

We should be able to see the following dashboards

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• Browser [e.g. chrome, safari]

Additional context
Add any other context about the problem here.

This is how i am getting the data

Is your feature request related to a problem? Please describe.
GitHub Enterprise Server provides metrics however it requires an external tool like Splunk to alert on those metrics. GitHub recommends a set of thresholds here Recommended alert thresholds.

Describe the solution you'd like
It would be nice to have a complete set of GitHub Enterprise Server monitoring dashboards in Splunk as well as out of the box alerts ready to be enabled based on GitHub's existing recommendations.

Describe alternatives you've considered
Can created those alerts manually

Additional context
n/a

Is your feature request related to a problem? Please describe.
Currently, there are no secret scanning alerts in the alert overview page.

Describe the solution you'd like
Modify the base search of the alert overview page to capture secret scanning alerts

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
Right now, there isn't a solution to easily collect logs from GitHub workflow executions. You're mostly left with either a success or fail, but have to dig into GitHub to troubleshoot. And doing that across many workflows is difficult, and re-running a workflow gets rid of the logs.

Describe the solution you'd like
An easy to use workflow log forwarder and set of dashboards in the GitHub App for Splunk would be perfect.

Describe alternatives you've considered
Manually logging into GitHub

We are using this app for our GHES servers and are seeing some discrepancies in some of the dashboard we'd like to get clarification on. Currently we're on GHES 3.8.2.

• In the github_app_for_splunk/2_process_monitor view the bottom 4 dashboard panels remain empty. It seems these are referencing metrics that are not available in our collectd data?

  • processes.ps_disk_ops.read/write
  • processes.ps_storage_octets.read/write

  We do have other metrics which might be usable for this (going by their names):

  • processes.io_ops.read/write OR processes.disk_octets.read/write
  • processes.disk_octets.read/write

  Are these the correct ones to use, or should there be others in the GHES collectd data?

• In the 3_authentication_monitor view it seems there is an issue with the metric names containing forward slashes '/'?
  Looking for statsd.gauge.github/auth/result/*/*.value --> We have statsd.gauge.github_auth_result_*_* . To make these panels work we need to change the slashes to underscores.
  Is this supposed to work like that, or should the queries be updated in this app? If so, I'm happy to create a PR for that.

• In the different audit view(s) we notice that the action=* filter is not working as expected. Field extractions are not working correctly with GHES audit log data and we need to include "github_source action | spath input=message" to all the queries to make it work. Is that intended?

• In the workflow overview view, field names are different in GHES data as well? workflow_job.name, workflow_job.id are not available, but we do have workflow_run.name, worflow_run.id. As a job and a run are not technically the same, should this be changed?

Next to this, really loving the insights we get from this app. ❤️

Describe the bug
Integration Overview - Dashboard (Audit logs) contains following TA reference "TA_splunk_ghe_audit_log_monitoring"
but it should be "github-audit-log-monitoring-add-on-for-splunk"

To Reproduce
Steps to reproduce the behavior:
Go to Integration Overview - Dashboard check the SPl dashboard query

Expected behavior
A clear and concise description of what you expected to happen.
I have replaced TA_splunk_ghe_audit_log_monitoring with github-audit-log-monitoring-add-on-for-splunk in all the 3 audit dashboard and was able to see the data

Additional context

The user dashboards only display members of an organization and don't include outside collaborators.

It would be very useful to see external collaborators, either on the same dashboard or a separate one. This would improve license and user management.

The Splunk Add-On For GitHub doesn't currently populate this data. I was hoping to find the repository for that app so I could request this feature there but haven't been able to find it. If this is the wrong place for this request, feel free to let me know and I can create it in the correct location. Thanks

Describe the bug

A clear and concise description of what the bug is.
05-13-2022 16:57:00.263 -0400 ERROR ExecProcessor - message from "/splunk/bin/python3.7 /splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" RuntimeError: Could not fetch audit log data. Please check your configuration, access token scope / correctness and API rate limits. status_code: 404 - url: https://github.com/api/graphql/enterprises/enterprise-name/audit-log?phrase=&include=all&after=&before=&order=asc&per_page=100 - Response: Not Found

05-13-2022 16:57:00.263 -0400 ERROR ExecProcessor - message from "/splunk/bin/python3.7 /splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" response.status_code, response.url, response.text
To Reproduce

Steps to reproduce the behavior:
. Go to '...'source = [/splunk/var/log/splunk/splunkd.log]

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

Additional context
Add any other context about the problem here.

Secret scanning push protection is a recently released service included with GHAS which stops secrets from being written to GitHub. This service blocks git pushes when a commit within that push contains a secret.

When a push protection event occurs, a webhook is generated. This webhook should be used to populate a new chart in the Secret Scanning overview dashboard which gives counts of push protection block events.

In regards to configuring webhooks in github (github_webhooks.MD) you can use basic auth instead.

Advantages: HEC token isn't passed as part of the URL (which is visible and will get logged everywhere)
Does not require allowQueryStringAuth = true on the HEC Endpoint. In Splunk Cloud, you gotta get Splunk support to enable it even.

All that needs to change in the webhook configuration is:

AuthQueryToken:
https://YOUR SPLUNK URL:8088/services/collector/raw?token=THE TOKEN FROM ABOVE.

BasicAuth:
https://xxxxx:THETOKENFROMABOVE@YOUR SPLUNK URL:8088/services/collector/raw

Username doesn't matter (xxxxx). Token is used as the password for basic auth.

Is your feature request related to a problem? Please describe.
It is difficult to separate bug requests from feature requests in GitHub Issues.

Describe the solution you'd like
Please add templates so users can easily submit both and make it easy to distinguish between then.

Describe alternatives you've considered
Manually read each issues.

Additional context
n/a

Is your feature request related to a problem? Please describe.
When you first open the app it takes you to an Enterprise Server Monitoring dashboard, but if you're only using GitHub.com that is confusing. A Welcome page with details on where to find things would be better.

Describe the solution you'd like
A Basic Welcome Page telling you where to find stuff.

Is your feature request related to a problem? Please describe.
Better understanding the Backlog is critical, having a dashboard that reports on status and age of work items is critical.

Describe the solution you'd like
A dashboard that includes items like oldest backlog item, average backlog age, count of items in each development step (accepted, working, merging, reviewing, testing, pending.

In Github, I have over 2,000 Secret Scanning alerts. In Splunk, I only see about 500 of them. How can I pull the rest of the screts from Github or why am I not able to see historical data?

Describe the bug
I was testing the workflow Analysis dashboard and I am able to see "Workflow conclusions over Time " data but i am not able to see workflow History. It seems search query[spl] for Workflow history is missing in dashboard source?

To Reproduce

Expected behavior
Based on the splunk base app[ https://splunkbase.splunk.com/app/5596/] we are expecting the following dashbaord

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):
I am using chrome.

Additional context
Any troubleshooting help would be helpful

Is your feature request related to a problem? Please describe.
The included event types are a great start, but more are needed. Particularly for Issues and Project Cards.

Describe the solution you'd like
Add additional Eventtypes for Issues and Project cards

Describe the bug
The Repository Vulnerability Webhook is deprecated. Although it doesn't seem to have happened yet, the webhook was/is planned to be removed in 2023: https://github.blog/changelog/2022-10-06-new-dependabot-alerts-webhook

There is a new "Dependabot Alert" webhook that replaces the old Repository Vulnerability Alert hook. The app should be updated to support this new webhook. Currently, the data doesn't show up in the dashboards. The records that come into Splunk get tagged with CodeScanning as the eventtype and there are new actions that should be supported as well with this new hook:

To Reproduce
Steps to reproduce the behavior:

1. Configure GitHub to send Dependabot Alert webhooks to Splunk
2. See that they are not shown in the dependabot dashboards

Expected behavior
The app should support the Dependabot alert webhook in place of the repository vulnerability alerts hook.

Screenshots
N/A

Desktop (please complete the following information):

• OS: Mac Ventura 13.6.1
• Browser: Chrome
• Version: App version 1.3.2

Additional context
N/A

Similar to issue #56 and #58

I'm getting a very similar issue as previous reported. I have configured the GitHub Add-on For Splunk to ingest audit and user events as well as configured webhooks to capture events to the github index in Splunk. I can manually search the data and it's coming in from GitHub, but the Repository Audit and User Change Audit dashboards have none of the expected data.

I have verified the macro are pointing to the correct indexes, everything looks good and as per documentation.

I have the following installed:
Splunk Enterprise 8.2.9
Apps:
Splunk Add-on for Github 2.1.1
GitHub App for Splunk 2.1.1

Describe the bug

We noticed on the Value Analytics Dashboard that the queries don't run correctly. For example on the following query:

The dashboard does not load for any results starting on the eval statements. Queries seem to load okay for eventtype searches and we have verified the appropriate eventttypes are configured and the macros load correctly. Just curious if we are missing something, since I am using GH Cloud and few of the eventtypes had to be modified to get some of the other searches working correctly.

Note: I have prepended data. on many of fields due to how the data is structured in our environment.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Developer Insights'
2. Click on 'Value Stream Analytics'
3. No results for Total Time Results

Additional context
Running Splunk Cloud and using Github Cloud

Describe the bug
Installation section of the README needs to be updated and inline with Splunkbase Details page.

Expected behavior
README should contain the same details as Splunkbase details page.

Describe the bug
Splunk Cloud requires dashboards to include the version number in the root node of the SimpleXML. Currently, the dashboards fail that check and as such are not Cloud ready.

Expected behavior
Expect that the App is available and compatible with Splunk Cloud

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Customers would like a way to understand cost of hosted runners on a per repo, per label, per organization level to do billback.

Describe the solution you'd like
A clear and concise description of what you want to happen.

A way to view total actions minutes used in a week/month/year per repo, including metadata about the hosted runner type (eg 2core/4core/Mac/etc.)

https://docs.github.com/en/billing/managing-billing-for-github-actions/about-billing-for-github-actions

May need additional checks for persistent storage.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

I can see all Github data is being ingested successfully, but the dashboards all show 0 or 'no data', any idea what is wrong here?

Same as Issue #56

I'm getting the same issue, going though the build a few times.. I can manually search the data and it's coming in from GHES, but the dashboard has none of the data. I have verified the macro index as well as the connections, everything looks good and as per documentation.

GHES = 3.6
Splunk Enterprise = 9.0.1
Apps:
Splunk Add-on for Github 2.0.0
GitHub Audit Log Monitoring Add-On for Splunk 1.1.1
GitHub App for Splunk 1.2.3

Originally posted by @shakerg in #56 (comment)

When clicking on a finding in the Code Scanning Overview dashboard, the URL should point to the finding in GitHub.

The finding URL is available in the webhook message at alert.html_url

Sample webhook payload from Code Scanning:

{ [-]
   action: created
   alert: { [-]
     created_at: 2022-02-10T16:34:12Z
     dismissed_at: null
     dismissed_by: null
     dismissed_reason: null
     fixed_at: null
     html_url: https://github.com/octodemo/NodeGoat/security/code-scanning/2096
     instances_url: https://api.github.com/repos/octodemo/NodeGoat/code-scanning/alerts/2096/instances
     most_recent_instance: { [+]
     }

Reference:
The other item, I think we'll be adding Security Scanning to that list of Security issues in the near future as well. So might be better to find a way to link to the alert in GitHub, rather than the CVE directly.

Originally posted by @derkkila-splunk in #29 (comment)

Describe the bug

The resolved alert count in the "advanced security overview" dashboard does not take into consideration secret scanning alerts. The alert field of a secret scanning alert will contain resolved. That value is not currently a member of the in() statement.

Expected behavior

I expect the resolved secret scanning alerts to also be counted.

Describe the bug
Documentation issue. Within the documentation and app, GitHub is incorrectly spelled as Github. No biggie 🤙 .

To Reproduce
Not reproducible... Documentation issue

Expected behavior
N/A

Screenshots
N/A

Desktop (please complete the following information):
N/A

Additional context
Add any other context about the problem here.

Is your feature request related to a problem? Please describe.
Workflow Jobs are the CI/Pipeline process for GitHub. Right now it is difficult to query them easily.

Describe the solution you'd like
Add a new eventtype defining a Workflow Job