Security Vulnerability Slack Notification #22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Vulnerability Slack Notification | |
| on: | |
| schedule: | |
| - cron: '0 * * * *' # Runs every hour | |
| workflow_dispatch: | |
| jobs: | |
| check-alerts: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Check for Recent Alerts | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| run: | | |
| # 1. Calculate time 65 minutes ago | |
| TIME_THRESHOLD=$(date -u -d '65 minutes ago' +'%Y-%m-%dT%H:%M:%SZ') | |
| echo "Checking for alerts created after: $TIME_THRESHOLD" | |
| # 2. Fetch alerts using GitHub CLI | |
| # Note: We point to the API endpoint explicitly | |
| ALERTS=$(gh api "https://github.com/mongodb/docs-sample-apps/security/dependabot" \ | |
| --jq ".[] | select(.state == \"open\") | select(.created_at > \"$TIME_THRESHOLD\") | select(.security_advisory.severity == \"critical\" or .security_advisory.severity == \"high\")") | |
| # 3. Check if any alerts were found | |
| if [ -z "$ALERTS" ]; then | |
| echo "No new alerts found in the last hour." | |
| exit 0 | |
| fi | |
| echo "New alerts detected! Sending notification..." | |
| # 4. Extract details | |
| PACKAGE=$(echo "$ALERTS" | jq -r 'first | .dependency.package.name') | |
| SEVERITY=$(echo "$ALERTS" | jq -r 'first | .security_advisory.severity') | |
| URL=$(echo "$ALERTS" | jq -r 'first | .html_url') | |
| # 5. Send Slack Notification | |
| curl -X POST -H 'Content-type: application/json' --data "{ | |
| \"channel\": \"#docs-devdocs-notifications\", | |
| \"username\": \"Dependabot Watchdog\", | |
| \"icon_emoji\": \":rotating_light:\", | |
| \"attachments\": [ | |
| { | |
| \"color\": \"#D00000\", | |
| \"blocks\": [ | |
| { | |
| \"type\": \"section\", | |
| \"text\": { | |
| \"type\": \"mrkdwn\", | |
| \"text\": \":rotating_light: *New Dependabot Alert Detected*\" | |
| } | |
| }, | |
| { | |
| \"type\": \"section\", | |
| \"fields\": [ | |
| { | |
| \"type\": \"mrkdwn\", | |
| \"text\": \"*Package:*\n$PACKAGE\" | |
| }, | |
| { | |
| \"type\": \"mrkdwn\", | |
| \"text\": \"*Severity:*\n$SEVERITY\" | |
| } | |
| ] | |
| }, | |
| { | |
| \"type\": \"section\", | |
| \"text\": { | |
| \"type\": \"mrkdwn\", | |
| \"text\": \"<$URL|View Alert on GitHub>\" | |
| } | |
| } | |
| ] | |
| } | |
| ] | |
| }" "$SLACK_WEBHOOK_URL" |