Security Vulnerability Slack Notification #102
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Vulnerability Slack Notification | |
| on: | |
| schedule: | |
| - cron: '0 * * * *' # Runs every hour | |
| workflow_dispatch: | |
| jobs: | |
| check-alerts: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Check for Recent Alerts | |
| env: | |
| GH_TOKEN: ${{ secrets.DEPENDABOT_PAT }} | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| run: | | |
| # 1. Calculate time 65 minutes ago | |
| TIME_THRESHOLD=$(date -u -d '65 minutes ago' +'%Y-%m-%dT%H:%M:%SZ') | |
| echo "Checking for alerts created after: $TIME_THRESHOLD" | |
| # 2. Fetch alerts using GitHub CLI | |
| # FIX: Added [ ] wrapping to force output as an Array [{...}] | |
| ALERTS=$(gh api "/repos/${{ github.repository }}/dependabot/alerts" \ | |
| --jq "[ .[] | select(.state == \"open\") | select(.created_at > \"$TIME_THRESHOLD\") | select(.security_advisory.severity == \"critical\" or .security_advisory.severity == \"high\") ]") | |
| # 3. Check if any alerts were found | |
| # Now valid because ALERTS is definitely an array | |
| LENGTH=$(echo "$ALERTS" | jq 'length') | |
| if [ "$LENGTH" -eq 0 ]; then | |
| echo "No new alerts found in the last hour." | |
| exit 0 | |
| fi | |
| echo "New alerts detected! Sending notification..." | |
| # 4. Extract details from the first alert found | |
| # Now valid because ALERTS is an array, so .[0] exists | |
| PACKAGE=$(echo "$ALERTS" | jq -r '.[0] | .dependency.package.name') | |
| SEVERITY=$(echo "$ALERTS" | jq -r '.[0] | .security_advisory.severity') | |
| REPO_NAME="${{ github.repository }}" | |
| ISSUE_TITLE="${PACKAGE} (${SEVERITY})" | |
| ISSUE_USER="Dependabot" | |
| ISSUE_URL=$(echo "$ALERTS" | jq -r '.[0] | .html_url') | |
| # 5. Build Message | |
| MESSAGE_TEXT=$(jq -n \ | |
| --arg repo "$REPO_NAME" \ | |
| --arg title "$ISSUE_TITLE" \ | |
| --arg user "$ISSUE_USER" \ | |
| --arg url "$ISSUE_URL" \ | |
| --arg template "*📢 New Dependabot Alert ($REPO_NAME) 📢*\n\n*Issue Title:* $ISSUE_TITLE\n*Opened By:* $ISSUE_USER\n\n*View Issue:* $ISSUE_URL" \ | |
| '$template') | |
| # 6. Build Payload | |
| SLACK_PAYLOAD=$(jq -n \ | |
| --arg text "$MESSAGE_TEXT" \ | |
| '{ | |
| "channel": "#docs-devdocs-notifications", | |
| "username": "Security Vulnerability Slack Notification", | |
| "icon_emoji": ":rotating_light:", | |
| "text": $text | |
| }') | |
| # 7. Send to Slack | |
| curl -X POST \ | |
| -H 'Content-type: application/json' \ | |
| --data "$SLACK_PAYLOAD" \ | |
| "$SLACK_WEBHOOK_URL" |