Security Vulnerability Slack Notification #95
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Vulnerability Slack Notification | |
| on: | |
| schedule: | |
| - cron: '0 * * * *' # Runs every hour | |
| workflow_dispatch: | |
| jobs: | |
| check-alerts: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Check for Recent Alerts | |
| env: | |
| # Use a PAT instead of the default token | |
| GH_TOKEN: ${{ secrets.DEPENDABOT_PAT }} | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK}} | |
| run: | | |
| # 1. Calculate time 65 minutes ago | |
| TIME_THRESHOLD=$(date -u -d '65 minutes ago' +'%Y-%m-%dT%H:%M:%SZ') | |
| echo "Checking for alerts created after: $TIME_THRESHOLD" | |
| # 2. Fetch alerts using GitHub CLI | |
| ALERTS=$(gh api "/repos/${{ github.repository }}/dependabot/alerts" \ | |
| --jq ".[] | select(.state == \"open\") | select(.created_at > \"$TIME_THRESHOLD\") | select(.security_advisory.severity == \"critical\" or .security_advisory.severity == \"high\")") | |
| # 3. Check if any alerts were found | |
| if [ -z "$ALERTS" ]; then | |
| echo "No new alerts found in the last hour." | |
| exit 0 | |
| fi | |
| echo "New alerts detected! Sending notification..." | |
| # 4. Extract details from the first alert found | |
| PACKAGE=$(echo "$ALERTS" | jq -r '.[0] | .dependency.package.name') | |
| SEVERITY=$(echo "$ALERTS" | jq -r '.[0] | .security_advisory.severity') | |
| STATE=$(echo "$ALERTS" | jq -r '.[0] | .state') | |
| REPO_NAME="${{ github.repository }}" | |
| ISSUE_TITLE=$(echo "$ALERTS" | jq -r '.[0] | .dependency.package.name + " (" + .security_advisory.severity + ")"') | |
| ISSUE_USER="Dependabot" | |
| ISSUE_URL=$(echo "$ALERTS" | jq -r '.[0] | .html_url') | |
| MESSAGE_TEXT=$(jq -n \ | |
| --arg repo "$REPO_NAME" \ | |
| --arg title "$ISSUE_TITLE" \ | |
| --arg user "$ISSUE_USER" \ | |
| --arg url "$ISSUE_URL" \ | |
| --arg template "*📢 New Dependabot Alert ($REPO_NAME) 📢*\n\n*Issue Title:* $ISSUE_TITLE\n*Opened By:* $ISSUE_USER\n\n*View Issue:* $ISSUE_URL" \ | |
| '$template') | |
| # Build Slack payload | |
| SLACK_PAYLOAD=$(jq -n \ | |
| --arg text "$MESSAGE_TEXT" \ | |
| '{ | |
| "channel": "#docs-devdocs-notifications", | |
| "username": "Security Vulnerability Slack Notification", | |
| "icon_emoji": ":rotating_light:", | |
| "text": $text | |
| }') | |
| # Send to Slack | |
| curl -X POST \ | |
| -H 'Content-type: application/json' \ | |
| --data "$SLACK_PAYLOAD" \ | |
| "$SLACK_WEBHOOK_URL" |