Using the Qwiet app for GitHub
The following instructions will walk you through using the Qwiet app available from the GitHub Marketplace to automate code analysis using Qwiet preZero's NextGen Static Analysis (preZero).
Step 1: Set up your Qwiet account
After you click set up a plan on GitHub, you'll be shown details on what you can do with your new Qwiet account. Click Install it for free to proceed, and you'll be prompted to review your order.
The app is free to use, but GitHub asks that you proceed through the checkout process regardless. Click Complete order and begin installation.
Next, you'll be asked to authorize Qwiet to access your account. Click Authorize Qwiet to proceed.
You'll be redirected to the Qwiet Dashboard to finish configuring your account (if you don't already have one) and create a new organization. Follow the on-screen prompts to provide Qwiet with a name for your organization.
Step 2: Provide access to your GitHub repositories
Qwiet will ask if you'd like to grant access to just your public repositories or both your public and private repositories.
You'll then need to provide Qwiet with the requested permissions, which are necessary to perform actions on your behalf. Qwiet needs to interact with the following (any additional permissions requested are inferred by GitHub and cannot be removed):
public_repoorrepo: needed to push branches, open pull requests to add GitHub Actions workflow files, and add a Qwiet access token as a repository secretuser:email: used to identify youread:org: used to correctly list the repos associated with the orgs of which you're a memberworkflow: needed to add GitHub Action workflow files and execute Actions
See Scopes for OAuth Apps for additional information on the scopes requested by Qwiet.
Step 3: Choose the repository to analyze
At this point, you can choose to:
- Try out the Qwiet workflow using the demo repo in the language of your choice
- Select one of your repositories for code analysis.
- Analyze a Demo Repo
- Analyze Your Repo
Qwiet will create a GitHub Action on your behalf as part of the workflow. Depending on your usage level, you may incur charges for your use of GitHub Actions. You will be fully responsible for such costs.
To try out the Qwiet workflow using the demo repo, click the box corresponding to the language of your choice. This will result in Qwiet analyzing a repo in the chosen language.
Click Next in the top left to proceed.
You'll be redirected to the Demo Workflow Setup screen, showing Qwiet's progress in setting up your sample app.
When done, you'll be able to see the steps Qwiet took. Click View the Pull Request to see the build rules file that illustrates how preZero can be used with GitHub Actions to secure every pull request in your organization. Click See Demo App to proceed.
This redirects you to the Applications View, which shows a complete list of all apps associated with your Qwiet account. It may take some time for Qwiet to analyze the demo repo and return the results.
When you no longer see any status bars indicating that a scan is in progress, click anywhere on the application row to launch the app-specific summary page.
Qwiet will create a GitHub Action on your behalf as part of the workflow. Depending on your usage level, you may incur charges for your use of GitHub Actions. You will be fully responsible for such costs.
To try out the Qwiet workflow using one of your repositories, select it from the list generated by Qwiet. You can use the search bar to filter your choices.
Supported repository types
This automated setup only supports JavaScript/TypeScript, Go, Python, and Terraform. Additionally, the dashboard doesn't display Qwiet demo repositories already forked to your account.
Set up the sample app
Once you've selected your repository, click Next in the top left to proceed.
You'll be redirected to the Demo Workflow Setup screen, showing Qwiet's progress in setting up your sample app.
When done, you'll see the steps Qwiet took and a link to view your demo app.
Click See Demo App to proceed. This redirects you to the Applications View, which shows a complete list of all apps associated with your Qwiet account. It may take some time for Qwiet to analyze your repo and return the results to you.
When you no longer see any status bars indicating that a scan is in progress, click anywhere on the row for your application to launch its summary page.
You'll see a summary of the findings on the Applications view. Click anywhere on the application row to launch an in-depth overview.
Step 4: Merge the GitHub pull request (Optional)
As part of the workflow setup process, Qwiet created an open Pull Request (PR) in your repository (regardless of whether you used a demo repository or your repository). The PR adds a YAML file (found under /.github/workflows/shiftleft.yml) to your repo that uses GitHub Actions to execute preZero on all future PRs opened.
If you used a demo repo, you do not have to merge the PR created by Qwiet unless you want to modify the behavior defined in the YAML file.
Similarly, if you provided a repository you own for analysis, you must merge the PR if you would like to continue having Qwiet analyze your repo. You can also modify the YAML file to further customize the GitHub Action's behavior.