Note:
This app version is intended for Unified Security Exposure Management (USEM), a significant architectural upgrade to the Vulnerability Response applications.
If you are currently using Vulnerability Response and upgrading to USEM for the first time, you must use the Migration assistant for Unified Security Exposure Management to ensure a safe and successful upgrade. For full details, please refer to the KB2556844 and documentation before proceeding.
If you do not intend to upgrade to USEM, please select a version below 30.x when installing or upgrading.
Integrate your GitHub Advanced Security deployment with ServiceNow Vulnerability Response to prioritize and remediate application vulnerabilities.
The GitHub Application Vulnerability Integration is incorporated with the following integrations:
- The Code Scanning Integration provides Static Application Security Testing (SAST) data.
- The Dependabot Integration provides Software Composition Analysis (SCA) data.
- GitHub Secret Scanning Integrations import vulnerabilities for potentially exploitable Client Secrets.
These integrations are compatible with both cloud-based and on-premises GitHub Advanced Security configurations.
When scanners generate alerts through the code scanning and dependabot integrations, they initiate the creation of a vulnerability in Application Vulnerability Response. The vulnerability's state is determined by the triage flags selected by an end user.
Fixed:
- Enhancements to the GitHub Application Vulnerability Integration application to align with ServiceNow Platform Security guidance.
- GHSA / CVE prefix normalization — The GitHub code-scanning and secret-scanning processors previously prepended GHSA- to all rule IDs, producing malformed sn_vul_app_vul_entry records (for example, GHSA-GHSA-* and GHSA-CVE-*). The processors now classify each rule ID and route accordingly: CVE-* rule IDs are used as-is and route to sn_vul_nvd_entry; GHSA-* advisory IDs receive a single GH- prefix; other CodeQL rule IDs receive a GH-GHSA- prefix; already GH-prefixed IDs are not re-prefixed. A scheduled cleanup job remediates existing malformed records on customer instances and self-deactivates once finished.
- Dependabot duplicate-advisory handling — A GH- prefix is added to GitHub-sourced advisories in sn_vul_app_vul_entry so Dependabot alerts whose GHSA advisory IDs collide with other sources no longer fail to create AVITs. Existing records are updated automatically.
- Generic-secret migration job stability — The "Mark scantype to generic secret" scheduled job no longer loops on constraint violations and reliably deactivates when no more migration work remains.
The following app for Vulnerability Response must be installed and activated:
- Vulnerability Response
For information on Vulnerability Response application compatibility see, "Vulnerability Response and Configuration Compliance Compatibility Matrix" under Supporting Links and Docs.
Permissions and roles:
Roles required:
- System Admin (admin)
- Application Security Manager (User assigned to App-Sec Manager group)