Getting Started
Getting started with Cimon is as simple as three steps:
Step 1 - Install GitHub App
This step is not required for Cycode customers. Cycode customers can integrate GitHub organizations by visiting the integrations page.
GitHub App installation is required to start onboarding.
GitHub App integration allows you to manage security policies and monitor Cimon agent installations using the Cimon platform.
Integrating the GitHub App is crucial for authenticating users, organizations, and repositories. Pay attention that all repositories you wish to secure are authorized through the GitHub App authorization flow. We require minimal permissions for the app; you can further read about it here.
You will be directed to the Cimon application UI once the process is complete.
Step 2 - Generate API Key in Cimon Platform
Cimon API keys consist of two values: client-id
and secret
, and are used to authenticate the user. Keys can be generated here.
These values should be saved in GitHub organization settings as GitHub Actions secrets and titled CIMON_CLIENT_ID
and CLIENT_SECRET
.
The best method to use tokens and API keys in GitHub Actions is by defining them in organization actions settings, as explained here. These tokens could be defined in each repository as well.
Step 3 - Add Cimon Action to your Workflow
Cimon Action should be the first step in each of your jobs.
To get Cimon to learn your pipeline, we recommend starting it on "Detect Mode."
- Detect Mode
- Prevent Mode
- uses: cycodelabs/cimon-action@v0
with:
client-id: ${{ secrets.CIMON_CLIENT_ID }}
secret: ${{ secrets.CIMON_SECRET }}
- uses: cycodelabs/cimon-action@v0
with:
client-id: ${{ secrets.CIMON_CLIENT_ID }}
secret: ${{ secrets.CIMON_SECRET }}
prevent: true
allowed-hosts: >
objects.githubusercontent.com
proxy.golang.org
storage.googleapis.com
allowed-ips: >
34.121.34.97
With our custom GitHub Action, we automatically run the agent, terminate it gracefully, and generate a neat report for you. To help you generate the preventive policy, the Security Report will guide you through the security profile you need to apply for your build.
Get Started Locally
The Cimon action can also be run locally (without authentication) by omitting the authentication details:
- GitHub
- Azure
- uses: cycodelabs/cimon-action@v0
with:
prevent: true
allowed-hosts: >
objects.githubusercontent.com
proxy.golang.org
storage.googleapis.com
allowed-ips: >
34.121.34.97
- uses: Cimon@0
inputs:
prevent: true
allowedHosts: >
objects.githubusercontent.com
proxy.golang.org
storage.googleapis.com
allowedIps: >
34.121.34.97