-
Notifications
You must be signed in to change notification settings - Fork 0
50 lines (49 loc) · 1.67 KB
/
ghas.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# Reference
# - https://arinco.com.au/blog/exporting-github-advanced-security-results/
# - https://github.com/advanced-security/ghas-to-csv
#
name: Gather data of GHAS
on:
schedule:
- cron: '30 22 * * 1' # Weekly at 22:30 UTC on Mondays
workflow_dispatch:
push: # TODO debug only
jobs:
data_gathering:
runs-on: ubuntu-latest
steps:
- name: CSV export
uses: advanced-security/ghas-to-csv@v3
env:
GITHUB_PAT: ${{ secrets.SECURITY_REPORT }}
- name: Upload CSV
uses: actions/upload-artifact@v4
with:
name: ghas-data
path: ${{ github.workspace }}/*.csv
if-no-files-found: error
flat_data:
runs-on: ubuntu-latest
needs: [data_gathering]
steps:
- name: Check out repo
uses: actions/checkout@main
- name: Download CSVs
uses: actions/download-artifact@v4
with:
name: ghas-data
path: .github/security/
- name: Tiny http server moment # Flat can only use HTTP or SQL, so ... yeah.
run: |
docker run -d -p 8000:80 --read-only -v $(pwd)/nginx-cache:/var/cache/nginx -v $(pwd)/.github/security/nginx-pid:/var/run -v $(pwd)/.github/security/:/usr/share/nginx/html:ro nginx
sleep 10
- name: Flat the code scanning alerts
uses: githubocto/flat@v3
with:
http_url: http://localhost:8000/cs_list.csv
downloaded_filename: .github/security/cs_list.csv
- name: Flat the dependabot scanning alerts
uses: githubocto/flat@v3
with:
http_url: http://localhost:8000/dependabot_list.csv
downloaded_filename: .github/security/dependabot_list.csv