Public Fork
Last updated
Was this helpful?
Last updated
Was this helpful?
One method you can use to leverage Panther-managed Python detections within your is to create a public fork of .
For organizations who want to share their detection content publicly or want to bring content upstream into , a public fork is the right choice.
For information on creating a private clone of the repo, see .
This process will create a public fork of the panther-analysis repository in your organization. This will serve as your working copy of panther-analysis, and any changes required by your organization can be made here and will undergo any configured CI checks that you define.
For reference, see .
Log in to GitHub and navigate to .
In the upper right corner of the repository’s main page click Fork.
On the Create a new fork page:
Uncheck the Copy the develop branch only box.
Click Create fork.
Navigate to the Settings page of your forked repository.
Within Default branch, click the pencil icon to edit the default branch.
In the Switch default branch to another branch pop-up modal, select main.
Click Update.
(Optional) Unzip any of your custom detections into the same directory as your forked version of panther-analysis.
Create a GitHub token with the following permissions:
Administration - Read
Contents - Read and write
Metadata - Read
Pull Requests - Read and write
Workflows - Read and write
In your forked repository, add a new secret named PANTHER_SYNC_UPSTREAMand set its value as the token you created in the previous step.
If you skip this step, each time the upstream repository has changes within the .github/workflows directory, the Action will fail to open a PR.
To trigger the Action for the first time, syncing your fork with the upstream repository, in your repository in GitHub, click Actions > Sync Panther Analysis from Upstream.
Click Run Workflow > Run workflow.
Once the action is complete, you will see a green circle next to the workflow run. If there are changes, you should see a new open pull request authored by GitHub Actions. If there are no changes, you should see a message similar to “Local repo already synced to latest release.”
The Sync Panther Analysis from Upstream Action is configured to run on a cron schedule every Tuesday at 15:00Z. You can modify this schedule on line 6 of .github/workflows/sync-from-upstream.yml.
Merge the pull request into your primary branch, as you would with a normal pull request.
Your repository will reflect the merge as your latest change, and you will be able to view both your private repo and panther-analysis git histories.
It is recommended to always using the "compare" option detailed in these documents to ensure you are pulling in changes that make sense for your organization. This will display the updates as a Pull Request, and changes and comments can be made.
You can create your own GitHub Action to upload detection content to your Panther instance, and it can be configured to run automatically on each merged pull request to your repo.
Customers are encouraged to contribute content back upstream to panther-analysis. If you’d like to do so, you can create a Pull Request against the panther-analysis repository. One of our detection engineers will happily review and merge it!
We recommend that you leverage Panther's GitHub Action to stay in sync with upstream changes:
If you run into issues with merge conflicts or see an error that states "all jobs have failed," please see this troubleshooting article:
Alternatively, you can manually update the fork. Please see to learn more about the process of manually updating the fork from its source, in this case panther-labs/panther-analysis.
After you fork the repo, you can integrate Panther detections into your CI/CD workflow. Panther offers documentation for and .
See for more information.
