Public fork

One method you can use to leverage Panther-managed Python detections within your CI/CD workflow is to create a public fork of panther-analysis.

For organizations who want to share their detection content publicly or want to bring content upstream into panther-labs/panther-analysis, a public fork is the right choice.

For information on creating a private clone of the repo, see Private cloned repo.

Configuring a public fork of panther-analysis

Follow the below instructions to create a public fork of panther-analysis. For reference, see GitHub's complete instructions on forking a repo here.

  1. In the upper right corner of the repository’s main page click Fork.

    • This will create a fork of the panther-analysis repo in your organization. This will serve as your working copy of panther-analysis, and any changes required by your organization can be made here and will undergo any configured CI checks that you define.

  2. (Optional) Unzip any of your custom detections into the same directory as your forked version of panther-analysis.

Keeping in Sync with Upstream

We recommend that you leverage our included sync-panther-analysis-from-upstream GitHub Action to stay in sync with upstream:

  1. Log in to your GitHub account and navigate to your repository.

  2. In the horizontal menu bar, click Actions, then click the sync-panther-analysis-from-upstream action.

  3. Click Run Workflow > Run workflow.

    • Once the action is complete, you will see a green circle next to the workflow run. If there are changes, you should see a new open pull request authored by GitHub Actions. If there are no changes, you should see a message similar to “Local repo already synced to latest release.”

    • Note: The sync-panther-analysis-from-upstream action is configured to run on a cron schedule every Tuesday at 15:00Z. You can modify this schedule on line 6 of .github/workflows/sync-from-upstream.yml.

  4. Merge the pull request into your primary branch, as you would with a normal pull request.

Your repository will reflect the merge as your latest change, and you will be able to view both your private repo and panther-analysis git histories.

If you run into issues with merge conflicts or see an error that states "all jobs have failed," please see this troubleshooting article: How do I resolve merge conflicts and failed syncs when using the GitHub Action sync-panther-analysis-from-upstream?

Manual updates

Alternatively, you can manually update the fork. Please see GitHub's documentation to learn more about the process of manually updating the fork from its source, in this case panther-labs/panther-analysis.

It is recommended to always using the "compare" option detailed in these documents to ensure you are pulling in changes that make sense for your organization. This will display the updates as a Pull Request, and changes and comments can be made.

Next Steps

After you fork the repo, you can integrate Panther detections into your CI/CD workflow. Panther offers documentation for CircleCI and GitHub Actions.

GitHub Actions

You can create your own GitHub Action to upload detection content to your Panther instance, and it can be configured to run automatically on each merged pull request to your repo.

See Managing Content via GitHub Actions for more information.

Customer contributed content

Customers are encouraged to contribute content back upstream to panther-analysis. If you’d like to do so, you can create a Pull Request against the panther-analysis repository. One of our detection engineers will happily review and merge it!

Last updated