|
1 | 1 | name: Security Vulnerability Slack Notification |
2 | 2 |
|
3 | | -# This workflow runs whenever a Dependabot alert is created or reopened. |
4 | 3 | on: |
5 | | - dependabot_alert: |
6 | | - types: [created, reopened] |
| 4 | + schedule: |
| 5 | + - cron: "0 */2 * * *" # Every 2 hours |
| 6 | + workflow_dispatch: # Allow manual trigger from GitHub Actions tab |
7 | 7 |
|
8 | 8 | jobs: |
9 | 9 | notify_slack_on_alert: |
10 | 10 | runs-on: ubuntu-latest |
11 | | - if: github.event_name == 'dependabot_alert' |
| 11 | + |
12 | 12 | steps: |
13 | | - - name: Send Slack Notification via Direct Curl Payload |
| 13 | + - name: Fetch Open Dependabot Alerts |
| 14 | + env: |
| 15 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 16 | + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} |
14 | 17 | run: | |
15 | | - MESSAGE_TEXT="*🚨 Dependabot Alert: ${{ github.event.action }} 🚨*\n\n*Vulnerability:* ${{ github.event.alert.security_vulnerability.package.ecosystem }} package *${{ github.event.alert.security_vulnerability.package.name }}*\n*Severity:* ${{ github.event.alert.security_vulnerability.severity }}\n*Repository:* ${{ github.repository }}\n\n*View Details:* ${{ github.event.alert.html_url }}" |
| 18 | + echo ":mag: Checking for open Dependabot vulnerability alerts..." |
16 | 19 | |
17 | | - SLACK_PAYLOAD=$(jq -n \ |
18 | | - --arg text "${MESSAGE_TEXT}" \ |
19 | | - '{ |
20 | | - "channel": "#docs-devdocs-notifications", |
21 | | - "username": "Dependabot Notifier", |
22 | | - "icon_emoji": ":lock:", |
23 | | - "text": $text |
24 | | - }') |
25 | | -
|
26 | | - # 3. Send the request directly to the webhook URL stored as a secret |
27 | | - curl -X POST \ |
28 | | - -H 'Content-type: application/json' \ |
29 | | - --data "$SLACK_PAYLOAD" \ |
30 | | - ${{ secrets.SLACK_WEBHOOK }} |
31 | | - env: |
32 | | - # jq is pre-installed on GitHub runners and is used to safely build the JSON payload. |
33 | | - JQ_VERSION: 1.6 |
| 20 | + # Fetch open alerts from GitHub API |
| 21 | + RESPONSE=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \ |
| 22 | + "https://api.github.com/repos/${{ github.repository }}/dependabot/alerts?state=open") |
| 23 | +
|
| 24 | + ALERT_COUNT=$(echo "$RESPONSE" | jq length) |
| 25 | + echo "Found $ALERT_COUNT open alerts." |
| 26 | +
|
| 27 | + # Only send Slack message if there are alerts |
| 28 | + if [ "$ALERT_COUNT" -gt 0 ]; then |
| 29 | + echo ":warning: Sending Slack notification..." |
| 30 | +
|
| 31 | + MESSAGE_TEXT="*:rotating_light: Dependabot found $ALERT_COUNT open security alert(s) in ${{ github.repository }}!* :rotating_light:\n\n" |
| 32 | +
|
| 33 | + # Loop through each alert to include details |
| 34 | + for i in $(seq 0 $(($ALERT_COUNT - 1))); do |
| 35 | + PACKAGE=$(echo "$RESPONSE" | jq -r ".[$i].security_vulnerability.package.name") |
| 36 | + ECOSYSTEM=$(echo "$RESPONSE" | jq -r ".[$i].security_vulnerability.package.ecosystem") |
| 37 | + SEVERITY=$(echo "$RESPONSE" | jq -r ".[$i].security_vulnerability.severity") |
| 38 | + URL=$(echo "$RESPONSE" | jq -r ".[$i].html_url") |
| 39 | +
|
| 40 | + MESSAGE_TEXT+="*Package:* ${PACKAGE} (${ECOSYSTEM})\n" |
| 41 | + MESSAGE_TEXT+="*Severity:* ${SEVERITY}\n" |
| 42 | + MESSAGE_TEXT+="*Details:* ${URL}\n\n" |
| 43 | + done |
| 44 | +
|
| 45 | + # Build Slack payload |
| 46 | + SLACK_PAYLOAD=$(jq -n \ |
| 47 | + --arg text "$MESSAGE_TEXT" \ |
| 48 | + '{ |
| 49 | + "channel": "#docs-devdocs-notifications", |
| 50 | + "username": "Dependabot Notifier", |
| 51 | + "icon_emoji": ":lock:", |
| 52 | + "text": $text |
| 53 | + }') |
| 54 | +
|
| 55 | + # Send notification to Slack |
| 56 | + curl -X POST \ |
| 57 | + -H 'Content-type: application/json' \ |
| 58 | + --data "$SLACK_PAYLOAD" \ |
| 59 | + "$SLACK_WEBHOOK" |
| 60 | +
|
| 61 | + echo ":white_check_mark: Slack notification sent successfully!" |
| 62 | + else |
| 63 | + echo ":white_check_mark: No active alerts — no Slack message sent." |
| 64 | + fi |
0 commit comments