Notify Security Alerts #293
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Notify Security Alerts | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: 0 15 * * 1-5 | |
| permissions: write-all | |
| jobs: | |
| notify: | |
| runs-on: ubuntu-latest | |
| name: Checks for security alerts and notify teams via Slack | |
| steps: | |
| - name: Check for security alerts | |
| id: alerts_summary | |
| env: | |
| REPO_NAME: ${{ github.event.repository.name }} | |
| GH_TOKEN: ${{ secrets.BUILD_GITHUB_TOKEN }} | |
| run: | | |
| ALERTS=$(mktemp) | |
| echo "Code scanning alerts" | |
| gh api "/repos/${GITHUB_REPOSITORY_OWNER}/${REPO_NAME}/code-scanning/alerts?state=open&per_page=100" \ | |
| > code-scanning.json | |
| cat code-scanning.json | |
| # new line for logs | |
| echo "" | |
| cat code-scanning.json | jq -r '.[]|.rule.severity' > $ALERTS | |
| cat $ALERTS | |
| # new line for logs | |
| echo "" | |
| echo "Dependabot alerts" | |
| gh api "/repos/${GITHUB_REPOSITORY_OWNER}/${REPO_NAME}/dependabot/alerts?state=open&per_page=100" \ | |
| > dependabot.json | |
| cat dependabot.json | |
| # new line for logs | |
| echo "" | |
| cat dependabot.json | jq -r '.[]|.security_advisory.severity' >> $ALERTS | |
| cat $ALERTS | |
| # new line for logs | |
| echo "" | |
| echo "Secret scanning alerts" | |
| gh api "/repos/${GITHUB_REPOSITORY_OWNER}/${REPO_NAME}/secret-scanning/alerts?state=open&per_page=100" \ | |
| > secret-scanning.json | |
| cat secret-scanning.json | |
| # new line for logs | |
| echo "" | |
| cat secret-scanning.json | jq -r '.[]|"critical"' >> $ALERTS | |
| cat $ALERTS | |
| # new line for logs | |
| echo "" | |
| COUNT=$(cat $ALERTS|wc -l) | |
| echo "count=$COUNT" >> $GITHUB_OUTPUT | |
| if [ ${COUNT:-0} == 0 ]; then echo "No alerts"; exit 0; fi | |
| case $COUNT in | |
| 1) TITLE="$COUNT security alert in $REPO_NAME";; | |
| *) TITLE="$COUNT security alerts in $REPO_NAME";; | |
| esac | |
| echo "title=$TITLE" >> $GITHUB_OUTPUT | |
| SUMMARY=$(sort $ALERTS | uniq -c) | |
| CODE_BLOCK='```' | |
| echo "$SUMMARY" | |
| echo "summary<<EOF" >> $GITHUB_OUTPUT | |
| echo "https://github.com/$GITHUB_REPOSITORY" >> $GITHUB_OUTPUT | |
| echo "${CODE_BLOCK}${SUMMARY}${CODE_BLOCK}" >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| - name: Report | |
| uses: rtCamp/action-slack-notify@v2 | |
| if: steps.alerts_summary.outputs.count > 0 | |
| env: | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_LIGHTHOUSE }} | |
| SLACK_CHANNEL: "team-quokka-alerts" | |
| SLACK_MSG_AUTHOR: "libertybot" | |
| SLACK_USERNAME: Blartbot | |
| SLACK_COLOR: danger | |
| SLACK_ICON_EMOJI: ":bangbang:" | |
| SLACK_TITLE: "${{steps.alerts_summary.outputs.title}}" | |
| SLACK_FOOTER: "@team_quokka Please address findings as soon as possible" | |
| MSG_MINIMAL: true | |
| SLACK_MESSAGE: ${{join(steps.alerts_summary.outputs.summary, '\n')}} | |