secrets.toml file or environment variables.
Prerequisites
- OpenHound installed with the GitHub collector included. Follow the OpenHound installation instructions to set up OpenHound for BloodHound Community Edition. The GitHub collector is included by default in the OpenHound container image.
- One of the following authentication setups configured:
The OpenHound setup instructions for BloodHound Community Edition also apply to BloodHound Enterprise users, for now.
Configure OpenHound
The GitHub collector needs different settings based on the authentication method you choose. You can set those values in one of two places:| Method | Set the values here |
|---|---|
secrets.toml file | [sources.source.github.credentials] section |
| Environment variables | SOURCES__SOURCE__GITHUB__CREDENTIALS |
- Enterprise GitHub App
- Organization GitHub App
- Fine-grained PAT
Use this option when you need enterprise-scoped collection.
Environment variables
| Setting | Description | Environment Variable |
|---|---|---|
client_id | The GitHub App Client ID used to authenticate to the GitHub API. | SOURCES__SOURCE__GITHUB__CREDENTIALS__CLIENT_ID |
app_id | The GitHub App ID used to authenticate to the GitHub API. | SOURCES__SOURCE__GITHUB__CREDENTIALS__APP_ID |
key_path | The path to the GitHub App private key file. | SOURCES__SOURCE__GITHUB__CREDENTIALS__KEY_PATH |
enterprise_name | The slug of the GitHub enterprise to collect data from. | SOURCES__SOURCE__GITHUB__CREDENTIALS__ENTERPRISE_NAME |
api_uri | The GitHub API base URI. For GitHub.com, use https://api.github.com. | SOURCES__SOURCE__GITHUB__CREDENTIALS__API_URI |
secrets.tomlsecrets.toml
Running OpenHound and Collecting Data
After you set the required configuration parameters, run OpenHound to start the collector and collect data from your . The collector will generate JSON files in the output directory that can be uploaded to BloodHound for analysis.Large GitHub organizations or enterprises can trigger GitHub’s API rate limits during collection. If you see failed or retried requests, tune the HTTP request parameters to ride out rate limits instead of failing the run.