-
Notifications
You must be signed in to change notification settings - Fork 0
78 lines (77 loc) · 2.96 KB
/
notify-security-alerts.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
name: Notify Security Alerts
on:
workflow_dispatch:
schedule:
- cron: 0 15 * * 1-5
permissions: write-all
jobs:
notify:
runs-on: ubuntu-latest
name: Checks for security alerts and notify teams via Slack
steps:
- name: Check for security alerts
id: alerts_summary
env:
REPO_NAME: ${{ github.event.repository.name }}
GH_TOKEN: ${{ secrets.BUILD_GITHUB_TOKEN }}
run: |
ALERTS=$(mktemp)
echo "Code scanning alerts"
gh api "/repos/${GITHUB_REPOSITORY_OWNER}/${REPO_NAME}/code-scanning/alerts?state=open&per_page=100" \
> code-scanning.json
cat code-scanning.json
# new line for logs
echo ""
cat code-scanning.json | jq -r '.[]|.rule.severity' > $ALERTS
cat $ALERTS
# new line for logs
echo ""
echo "Dependabot alerts"
gh api "/repos/${GITHUB_REPOSITORY_OWNER}/${REPO_NAME}/dependabot/alerts?state=open&per_page=100" \
> dependabot.json
cat dependabot.json
# new line for logs
echo ""
cat dependabot.json | jq -r '.[]|.security_advisory.severity' >> $ALERTS
cat $ALERTS
# new line for logs
echo ""
echo "Secret scanning alerts"
gh api "/repos/${GITHUB_REPOSITORY_OWNER}/${REPO_NAME}/secret-scanning/alerts?state=open&per_page=100" \
> secret-scanning.json
cat secret-scanning.json
# new line for logs
echo ""
cat secret-scanning.json | jq -r '.[]|"critical"' >> $ALERTS
cat $ALERTS
# new line for logs
echo ""
COUNT=$(cat $ALERTS|wc -l)
echo "count=$COUNT" >> $GITHUB_OUTPUT
if [ ${COUNT:-0} == 0 ]; then echo "No alerts"; exit 0; fi
case $COUNT in
1) TITLE="$COUNT security alert in $REPO_NAME";;
*) TITLE="$COUNT security alerts in $REPO_NAME";;
esac
echo "title=$TITLE" >> $GITHUB_OUTPUT
SUMMARY=$(sort $ALERTS | uniq -c)
CODE_BLOCK='```'
echo "$SUMMARY"
echo "summary<<EOF" >> $GITHUB_OUTPUT
echo "https://github.com/$GITHUB_REPOSITORY" >> $GITHUB_OUTPUT
echo "${CODE_BLOCK}${SUMMARY}${CODE_BLOCK}" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
- name: Report
uses: rtCamp/action-slack-notify@v2
if: steps.alerts_summary.outputs.count > 0
env:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_LIGHTHOUSE }}
SLACK_CHANNEL: "team-quokka-alerts"
SLACK_MSG_AUTHOR: "libertybot"
SLACK_USERNAME: Blartbot
SLACK_COLOR: danger
SLACK_ICON_EMOJI: ":bangbang:"
SLACK_TITLE: "${{steps.alerts_summary.outputs.title}}"
SLACK_FOOTER: "@team_quokka Please address findings as soon as possible"
MSG_MINIMAL: true
SLACK_MESSAGE: ${{join(steps.alerts_summary.outputs.summary, '\n')}}