Public fork
Last updated
Last updated
One method you can use to leverage Panther-managed Python detections within your CI/CD workflow is to create a public fork of panther-analysis.
For organizations who want to share their detection content publicly or want to bring content upstream into panther-labs/panther-analysis, a public fork is the right choice.
For information on creating a private clone of the repo, see Private cloned repo.
It's recommended to pull upstream changes from panther-analysis when there is a new tagged release. You can also pull from the main branch. No other branches should be considered stable.
This process will create a public fork of the panther-analysis repository in your organization. This will serve as your working copy of panther-analysis, and any changes required by your organization can be made here and will undergo any configured CI checks that you define.
For reference, see GitHub's complete instructions on forking a repo here.
Log in to GitHub and navigate to panther-labs/panther-analysis.
In the upper right corner of the repository’s main page click Fork.
On the Create a new fork page:
Uncheck the Copy the develop branch only box.
Click Create fork.
Navigate to the Settings page of your forked repository.
Within Default branch, click the pencil icon to edit the default branch.
In the Switch default branch to another branch pop-up modal, select main.
Click Update.
(Optional) Unzip any of your custom detections into the same directory as your forked version of panther-analysis.
We recommend that you leverage our included sync-panther-analysis-from-upstream GitHub Action to stay in sync with upstream:
Log in to your GitHub account and navigate to your repository.
In the horizontal menu bar, click Actions, then click the sync-panther-analysis-from-upstream action.
Click Run Workflow > Run workflow.
Once the action is complete, you will see a green circle next to the workflow run. If there are changes, you should see a new open pull request authored by GitHub Actions. If there are no changes, you should see a message similar to “Local repo already synced to latest release.”
Note: The sync-panther-analysis-from-upstream action is configured to run on a cron schedule every Tuesday at 15:00Z. You can modify this schedule on line 6 of .github/workflows/sync-from-upstream.yml.
Merge the pull request into your primary branch, as you would with a normal pull request.
Your repository will reflect the merge as your latest change, and you will be able to view both your private repo and panther-analysis git histories.
If you run into issues with merge conflicts or see an error that states "all jobs have failed," please see this troubleshooting article: How do I resolve merge conflicts and failed syncs when using the GitHub Action sync-panther-analysis-from-upstream?
Alternatively, you can manually update the fork. Please see GitHub's documentation to learn more about the process of manually updating the fork from its source, in this case panther-labs/panther-analysis.
It is recommended to always using the "compare" option detailed in these documents to ensure you are pulling in changes that make sense for your organization. This will display the updates as a Pull Request, and changes and comments can be made.
After you fork the repo, you can integrate Panther detections into your CI/CD workflow. Panther offers documentation for CircleCI and GitHub Actions.
You can create your own GitHub Action to upload detection content to your Panther instance, and it can be configured to run automatically on each merged pull request to your repo.
See Managing Content via GitHub Actions for more information.
Customers are encouraged to contribute content back upstream to panther-analysis. If you’d like to do so, you can create a Pull Request against the panther-analysis repository. One of our detection engineers will happily review and merge it!
