Public Fork

One method you can use to leverage Panther-managed Python detections within your CI/CD workflow is to create a public fork of panther-analysis.

For organizations who want to share their detection content publicly or want to bring content upstream into panther-labs/panther-analysis, a public fork is the right choice.

For information on creating a private clone of the repo, see Private Clone.

It's recommended to pull upstream changes from panther-analysis when there is a new tagged release. You can also pull from the main branch. No other branches should be considered stable.

Configuring a public fork of panther-analysis

This process will create a public fork of the panther-analysis repository in your organization. This will serve as your working copy of panther-analysis, and any changes required by your organization can be made here and will undergo any configured CI checks that you define.

For reference, see GitHub's complete instructions on forking a repo here.

Log in to GitHub and navigate to panther-labs/panther-analysis.
In the upper right corner of the repository’s main page click Fork.
On the Create a new fork page:
1. Uncheck the Copy the develop branch only box.
2. Click Create fork.
Navigate to the Settings page of your forked repository.
Within Default branch, click the pencil icon to edit the default branch.
1. In the Switch default branch to another branch pop-up modal, select main.
2. Click Update.
(Optional) Unzip any of your custom detections into the same directory as your forked version of panther-analysis.

Keeping in sync with upstream

We recommend that you leverage Panther's Sync Panther Analysis from Upstream GitHub Action to stay in sync with upstream changes:

Create a GitHub token with the following permissions:
- Administration - Read
- Contents - Read and write
- Metadata - Read
- Pull Requests - Read and write
- Workflows - Read and write
In your forked repository, add a new secret named PANTHER_SYNC_UPSTREAMand set its value as the token you created in the previous step.
If you skip this step, each time the upstream repository has changes within the .github/workflows directory, the Action will fail to open a PR.
To trigger the Action for the first time, syncing your fork with the upstream repository, in your repository in GitHub, click Actions > Sync Panther Analysis from Upstream.
Click Run Workflow > Run workflow.
- Once the action is complete, you will see a green circle next to the workflow run. If there are changes, you should see a new open pull request authored by GitHub Actions. If there are no changes, you should see a message similar to “Local repo already synced to latest release.”
- The Sync Panther Analysis from Upstream Action is configured to run on a cron schedule every Tuesday at 15:00Z. You can modify this schedule on line 6 of .github/workflows/sync-from-upstream.yml.
Merge the pull request into your primary branch, as you would with a normal pull request.

Your repository will reflect the merge as your latest change, and you will be able to view both your private repo and panther-analysis git histories.

If you run into issues with merge conflicts or see an error that states "all jobs have failed," please see this troubleshooting article: How do I resolve merge conflicts and failed syncs when using the GitHub Action sync-panther-analysis-from-upstream?

Manual updates

Alternatively, you can manually update the fork. Please see GitHub's documentation to learn more about the process of manually updating the fork from its source, in this case panther-labs/panther-analysis.

It is recommended to always using the "compare" option detailed in these documents to ensure you are pulling in changes that make sense for your organization. This will display the updates as a Pull Request, and changes and comments can be made.

Next steps

After you fork the repo, you can integrate Panther detections into your CI/CD workflow. Panther offers documentation for CircleCI and GitHub Actions.

GitHub Actions

You can create your own GitHub Action to upload detection content to your Panther instance, and it can be configured to run automatically on each merged pull request to your repo.

See Managing Content via GitHub Actions for more information.

Customer contributed content

Customers are encouraged to contribute content back upstream to panther-analysis. If you’d like to do so, you can create a Pull Request against the panther-analysis repository. One of our detection engineers will happily review and merge it!

PreviousUsing panther-analysis NextPrivate Clone

Last updated 1 month ago

Was this helpful?

Configuring a public fork of panther-analysis

In the upper right corner of the repository’s main page click Fork.

On the Create a new fork page:

Uncheck the Copy the develop branch only box.
Click Create fork.

Navigate to the Settings page of your forked repository.

Within Default branch, click the pencil icon to edit the default branch.

In the Switch default branch to another branch pop-up modal, select main.
Click Update.

(Optional) Unzip any of your custom detections into the same directory as your forked version of panther-analysis.

Keeping in sync with upstream

We recommend that you leverage Panther's Sync Panther Analysis from Upstream GitHub Action to stay in sync with upstream changes:

Create a GitHub token with the following permissions:

Administration - Read
Contents - Read and write
Metadata - Read
Pull Requests - Read and write
Workflows - Read and write

In your forked repository, add a new secret named PANTHER_SYNC_UPSTREAMand set its value as the token you created in the previous step.

If you skip this step, each time the upstream repository has changes within the .github/workflows directory, the Action will fail to open a PR.

To trigger the Action for the first time, syncing your fork with the upstream repository, in your repository in GitHub, click Actions > Sync Panther Analysis from Upstream.

Click Run Workflow > Run workflow.

Once the action is complete, you will see a green circle next to the workflow run. If there are changes, you should see a new open pull request authored by GitHub Actions. If there are no changes, you should see a message similar to “Local repo already synced to latest release.”
The Sync Panther Analysis from Upstream Action is configured to run on a cron schedule every Tuesday at 15:00Z. You can modify this schedule on line 6 of .github/workflows/sync-from-upstream.yml.

Merge the pull request into your primary branch, as you would with a normal pull request.

Your repository will reflect the merge as your latest change, and you will be able to view both your private repo and panther-analysis git histories.

Manual updates

Next steps

After you fork the repo, you can integrate Panther detections into your CI/CD workflow. Panther offers documentation for CircleCI and GitHub Actions.

GitHub Actions

You can create your own GitHub Action to upload detection content to your Panther instance, and it can be configured to run automatically on each merged pull request to your repo.

Customer contributed content