docs-sample-apps/.github/workflows/Security-Notification.yml at f80c7d08f8e6962c896444223595c67d96256c98 · mongodb/docs-sample-apps · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
name: Security Vulnerability Slack Notification
on:
  schedule:
    - cron: '0 * * * *' # Runs every hour
  workflow_dispatch:

jobs:
  check-alerts:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Check for Recent Alerts
        env:
          # Use a PAT instead of the default token
          GH_TOKEN: ${{ secrets.DEPENDABOT_PAT }}
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
        run: |
         echo "--- TEST MODE ACTIVE ---"
          echo "Fetching ALL alerts (Open, Fixed, Dismissed) to verify Slack connection..."

          # 1. Fetch alerts via API
          # We use '?state=all' to find old/closed alerts
          # We use 'per_page=1' because we only need one example to test
          RESPONSE=$(curl -s -H "Authorization: token $GH_TOKEN" \
            -H "Accept: application/vnd.github+json" \
            "https://api.github.com/repos/${{ github.repository }}/dependabot/alerts?state=all&per_page=1")

          # 2. Check for Authentication Errors
          if echo "$RESPONSE" | grep -q "Bad credentials"; then
             echo "::error::Authentication Failed! Please check your DEPENDABOT_PAT secret."
             exit 1
          fi

          # 3. Parse the result
          # We just grab the first alert found. No time filter. No severity filter.
          ALERTS=$(echo "$RESPONSE" | jq '.')

          # Check if the list is empty (Repo has NEVER had an alert)
          LENGTH=$(echo "$ALERTS" | jq 'length')
          if [ "$LENGTH" -eq 0 ]; then
            echo "::warning:: No alerts found (Open or Closed). This repo has clean history!"
            exit 0
          fi

          echo "Found historical alert data. Sending Slack notification..."

          # 4. Extract details from the first alert found
          PACKAGE=$(echo "$ALERTS" | jq -r '.[0] | .dependency.package.name')
          SEVERITY=$(echo "$ALERTS" | jq -r '.[0] | .security_advisory.severity')
          URL=$(echo "$ALERTS" | jq -r '.[0] | .html_url')
          STATE=$(echo "$ALERTS" | jq -r '.[0] | .state')

          # 5. Send Slack Notification
          curl -X POST -H 'Content-type: application/json' --data "{
            \"channel\": \"#docs-devdocs-notifications\",
            \"username\": \"Dependabot Watchdog\",
            \"icon_emoji\": \":rotating_light:\",
            \"attachments\": [
              {
                \"color\": \"#D00000\",
                \"blocks\": [
                  {
                    \"type\": \"section\",
                    \"text\": {
                      \"type\": \"mrkdwn\",
                      \"text\": \":rotating_light: *New Dependabot Alert Detected*\"
                    }
                  },
                  {
                    \"type\": \"section\",
                    \"fields\": [
                      {
                        \"type\": \"mrkdwn\",
                        \"text\": \"*Package:*\n$PACKAGE\"
                      },
                      {
                        \"type\": \"mrkdwn\",
                        \"text\": \"*Severity:*\n$SEVERITY\"
                      }
                    ]
                  },
                  {
                    \"type\": \"section\",
                    \"text\": {
                      \"type\": \"mrkdwn\",
                      \"text\": \"<$URL|View Alert on GitHub>\"
                    }
                  }
                ]
              }
            ]
          }" "$SLACK_WEBHOOK_URL"