Security Vulnerability Slack Notification #105
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Vulnerability Slack Notification | |
| on: | |
| schedule: | |
| - cron: '0 * * * *' | |
| workflow_dispatch: | |
| jobs: | |
| check-alerts: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Check for Recent Alerts | |
| env: | |
| GH_TOKEN: ${{ secrets.DEPENDABOT_PAT }} | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| run: | | |
| echo "--- TEST MODE ACTIVE (Ignoring Time Threshold) ---" | |
| # 1. Fetch ALL open alerts (Raw JSON) | |
| RAW_DATA=$(gh api "/repos/${{ github.repository }}/dependabot/alerts?state=open") | |
| # 2. Filter locally using jq | |
| # --- CHANGE IS HERE --- | |
| # I removed "| select(.created_at > $TIME)" so it finds OLD alerts too. | |
| # I also removed the Severity check so it finds ANY open alert (Low/Med/High). | |
| ALERTS=$(echo "$RAW_DATA" | jq '[ .[] | select(.state == "open") ]') | |
| # 3. Debugging structure | |
| echo "New alerts detected! Debugging structure..." | |
| # Check if we actually have data now | |
| LENGTH=$(echo "$ALERTS" | jq 'length') | |
| if [ "$LENGTH" -eq 0 ]; then | |
| echo "::error:: Still no alerts found! check if your PAT has 'repo' or 'security_events' scope." | |
| exit 1 | |
| fi | |
| # Print keys to confirm we can read the data | |
| echo "Top-level keys found in first alert:" | |
| echo "$ALERTS" | jq '.[0] | keys' | |
| # 4. Extract details | |
| # We use the raw data keys. | |
| # Note: If keys output shows 'security_vulnerability' instead of 'security_advisory', we might need to adjust below. | |
| PACKAGE=$(echo "$ALERTS" | jq -r '.[0].dependency.package.name // "Unknown Package"') | |
| SEVERITY=$(echo "$ALERTS" | jq -r '.[0].security_advisory.severity // "Unknown Severity"') | |
| # Fallback URL logic | |
| ISSUE_URL=$(echo "$ALERTS" | jq -r '.[0].html_url // .[0].url // "https://github.com"') | |
| # Prepare text | |
| REPO_NAME="${{ github.repository }}" | |
| ISSUE_TITLE="${PACKAGE} (${SEVERITY})" | |
| ISSUE_USER="Dependabot" | |
| # 5. Build Slack Message | |
| MESSAGE_TEXT=$(jq -n \ | |
| --arg repo "$REPO_NAME" \ | |
| --arg title "$ISSUE_TITLE" \ | |
| --arg user "$ISSUE_USER" \ | |
| --arg url "$ISSUE_URL" \ | |
| --arg template "*📢 New Dependabot Alert ($REPO_NAME) 📢*\n\n*Issue Title:* $ISSUE_TITLE\n*Opened By:* $ISSUE_USER\n\n*View Issue:* $ISSUE_URL" \ | |
| '$template') | |
| # 6. Build Payload & Send | |
| SLACK_PAYLOAD=$(jq -n \ | |
| --arg text "$MESSAGE_TEXT" \ | |
| '{ | |
| "channel": "#docs-devdocs-notifications", | |
| "username": "Security Vulnerability Slack Notification", | |
| "icon_emoji": ":rotating_light:", | |
| "text": $text | |
| }') | |
| curl -X POST \ | |
| -H 'Content-type: application/json' \ | |
| --data "$SLACK_PAYLOAD" \ | |
| "$SLACK_WEBHOOK_URL" |