docs-sample-apps/.github/workflows/Security-Notification.yml at 581c968e18305c2e1b887239424580335dcd39df · mongodb/docs-sample-apps · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
name: Security Vulnerability Slack Notification

on:
  schedule:
    - cron: '0 * * * *'
  workflow_dispatch:

jobs:
  check-alerts:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Check for Recent Alerts
        env:
          GH_TOKEN: ${{ secrets.DEPENDABOT_PAT }}
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
        run: |
          echo "--- TEST MODE ACTIVE (Ignoring Time Threshold) ---"

          # 1. Fetch ALL open alerts (Raw JSON)
          RAW_DATA=$(gh api "/repos/${{ github.repository }}/dependabot/alerts?state=open")

          # 2. Filter locally using jq
          # --- CHANGE IS HERE ---
          # I removed "| select(.created_at > $TIME)" so it finds OLD alerts too.
          # I also removed the Severity check so it finds ANY open alert (Low/Med/High).
          ALERTS=$(echo "$RAW_DATA" | jq '[ .[] | select(.state == "open") ]')

          # 3. Debugging structure
          echo "New alerts detected! Debugging structure..."

          # Check if we actually have data now
          LENGTH=$(echo "$ALERTS" | jq 'length')
          if [ "$LENGTH" -eq 0 ]; then
             echo "::error:: Still no alerts found! check if your PAT has 'repo' or 'security_events' scope."
             exit 1
          fi

          # Print keys to confirm we can read the data
          echo "Top-level keys found in first alert:"
          echo "$ALERTS" | jq '.[0] | keys'

          # 4. Extract details
          # We use the raw data keys.
          # Note: If keys output shows 'security_vulnerability' instead of 'security_advisory', we might need to adjust below.
          PACKAGE=$(echo "$ALERTS" | jq -r '.[0].dependency.package.name // "Unknown Package"')
          SEVERITY=$(echo "$ALERTS" | jq -r '.[0].security_advisory.severity // "Unknown Severity"')

          # Fallback URL logic
          ISSUE_URL=$(echo "$ALERTS" | jq -r '.[0].html_url // .[0].url // "https://github.com"')

          # Prepare text
          REPO_NAME="${{ github.repository }}"
          ISSUE_TITLE="${PACKAGE} (${SEVERITY})"
          ISSUE_USER="Dependabot"

          # 5. Build Slack Message
          MESSAGE_TEXT=$(jq -n \
            --arg repo "$REPO_NAME" \
            --arg title "$ISSUE_TITLE" \
            --arg user "$ISSUE_USER" \
            --arg url "$ISSUE_URL" \
            --arg template "*📢 New Dependabot Alert ($REPO_NAME) 📢*\n\n*Issue Title:* $ISSUE_TITLE\n*Opened By:* $ISSUE_USER\n\n*View Issue:* $ISSUE_URL" \
            '$template')

          # 6. Build Payload & Send
          SLACK_PAYLOAD=$(jq -n \
            --arg text "$MESSAGE_TEXT" \
            '{
              "channel": "#docs-devdocs-notifications",
              "username": "Security Vulnerability Slack Notification",
              "icon_emoji": ":rotating_light:",
              "text": $text
            }')

          curl -X POST \
               -H 'Content-type: application/json' \
               --data "$SLACK_PAYLOAD" \
               "$SLACK_WEBHOOK_URL"