GitHub Actions Onboarding Guide
Manage detections and schemas in Panther with a CI/CD workflow using GitHub Actions
Overview
You can configure GitHub Actions to automate testing, customize detections, and upload your detection pipeline from your GitHub repository to your Panther Console. This guide will walk you through the following:
- Creating a custom workflow via GitHub Actions
- Testing your custom schemas and detections
- Uploading the schemas and detections to your Panther Console
- Customizing your GitHub Actions workflow to fit your organization's needs
Configure GitHub Actions for Panther
Prerequisites
Before finalizing GitHub Actions with Panther, please reach out to Panther's Support team to get your Panther Console set up with the
PantherAnalysisFederatedCDRole needed to assume the role directly using the GitHub OIDC provider. Build a GitHub workflow to test schemas, detections, and upload to Panther
- 1.Navigate to the GitHub repository where you would like to set up automation.
- 2.Within the GitHub repository, navigate to Actions.​
- 3.Click New Workflow.​
- 4.Click the button that says set up a workflow yourself →.​
- 5.On the next page, replace the default filename (
main.yml) with a memorable name, e.g.,panther-workflow.yml. - 6.Customize your workflow as follows:
- Name: Create a memorable name.
- Permissions: Add a permissions field to the workflow that mirrors the below: name: GitHub Actions CI/CD workflow1name: GitHub Actions CI/CD workflow2​3permissions:4id-token: write5contents: readCopied!
- Replace the default
onsection with the following:1on:2push:3paths:4- 'detections/**'Copied!- This defines how to control the workflow to trigger when users perform a git push to the specific folder path
detections/**.
- Jobs: modify the jobs sections as follows:
- Modify the first job downloads, aka the
pantherlogtool we use to perform schema tests:1jobs:2download_pantherlog_tool:3runs-on: ubuntu-latest4name: Downloading the pantherlog tool5steps:6- name: Download pantherlog & unzip7run: curl -sSO "https://panther-community-us-east-1.s3.amazonaws.com/v1.32.4/tools/linux-amd64-pantherlog.zip" && unzip linux-amd64-pantherlog.zip8- name: Create a pantherlog artifact9uses: actions/[email protected]10with:11name: pantherlog12path: pantherlog13retention-days: 1Copied!​ - Add a job that runs schema tests using the
pantherlogtool:1run_schema_tests:2runs-on: ubuntu-latest3name: Run schema tests with pantherlog4needs: [download_pantherlog_tool]5steps:6- name: Check out the repo7uses: actions/[email protected]8- name: Download Pantherlog tool from artifacts9uses: actions/[email protected]10with:11name: pantherlog12- name: Make pantherlog executable13run: sudo chmod +x pantherlog14- name: Perform schema tests with pantherlog15run: ./pantherlog test detections/schemasCopied!​ - Add a job to run unit tests using the panther_analysis_tool:1run_unit_tests:2runs-on: ubuntu-latest3name: Unit Testing with panther_analysis_tool4needs: [download_pantherlog_tool, run_schema_tests]5steps:6- name: Check out the repo7uses: actions/[email protected]8- name: Download the panther_analysis_tool9run: pip3 install panther_analysis_tool10- name: Run unit tests within the Detections folder11run: |12for dir in detections/*; do13if [[ "$dir" =~ .*_rules.* ]]; then14panther_analysis_tool test15fi16doneCopied!​
- Add the last job to upload detections and custom schemas to the Panther Console. This leverages a pre-built action called [email protected] to assume a role directly using GitHub OIDC provider.
- Note: Make sure you replace the AWS Account ID as well as the AWS Region with the values matching your instance of Panther.1panther_analysis_tool_upload:2runs-on: ubuntu-latest3name: panther_analysis_tool upload to panther console4needs: [download_pantherlog_tool, run_schema_tests, run_unit_tests]5steps:6- name: Checkout the repo7uses: actions/[email protected]8- name: Configure AWS credentials leveraging OIDC to make the connection9uses: aws-actions/[email protected] # https://github.com/aws-actions/configure-aws-credentials10with:11role-to-assume: arn:aws:iam::1234567891012:role/PantherAnalysisFederatedCDRole # Replace with your Panther AWS Account ID12aws-region: us-west-2 # Replace with AWS region your Panther instance is in13- name: Download panther_analysis_tool14run: pip3 install panther_analysis_tool15- name: Loop through folders ending in _rules and upload to papaya-oarfish16run: |17for dir in detections/*; do18if [[ "$dir" =~ .*_rules.* ]]; then19panther_analysis_tool upload --path "$dir" --skip-tests20fi21done22- name: Upload custom schemas to Panther Console23run: panther_analysis_tool update-custom-schemas --path schemas/Copied!
Pushing detections via GitHub Actions
Now that the GitHub Actions workflow is complete, the following will occur the next time you use
git push to make changes within the detections/ folder:- Custom log schemas are tested with
pantherlog. - Custom detections are tested with
panther_analysis_tool. - Upon success, schema and detections are uploaded to your Panther Console.
For reference, the full GitHub CI/CD GitHub Actions workflow schema is aggregated below:
Complete GitHub CI/CD workflow in one schema
Customize your GitHub Actions workflow in Panther
Optionally, you can extend or customize this workflow to better fit your organization. The following are common workflow customizations with Panther:
- Perform Python Linting against
.pyfiles. - Trigger from an approved Pull Request (PR) instead of a Push to a specific folder.
- If you fork the panther-analysis repository by the latest tag, learn how syncing a fork can help keep Panther Detections up-to-date. We recommend syncing weekly by tag.
Last modified 12d ago