@@ -2,7 +2,7 @@ name: Security Vulnerability Slack Notification
22
33on :
44 schedule :
5- - cron : ' 0 * * * *' # Runs every hour
5+ - cron : ' 0 * * * *'
66 workflow_dispatch :
77
88jobs :
@@ -19,27 +19,45 @@ jobs:
1919 run : |
2020 # 1. Calculate time 65 minutes ago
2121 TIME_THRESHOLD=$(date -u -d '65 minutes ago' +'%Y-%m-%dT%H:%M:%SZ')
22-
2322 echo "Checking for alerts created after: $TIME_THRESHOLD"
2423
25- # 2. Fetch alerts using GitHub CLI
26- ALERTS=$(gh api "/repos/${{ github.repository }}/dependabot/alerts" \
27- --jq "[ .[] | select(.state == \"open\") | select(.created_at > \"$TIME_THRESHOLD\") | select(.security_advisory.severity == \"critical\" or .security_advisory.severity == \"high\") ]")
24+ # 2. Fetch ALL open alerts (Raw JSON)
25+ # We fetch raw data first to ensure we don't lose structure in complex filtering
26+ RAW_DATA=$(gh api "/repos/${{ github.repository }}/dependabot/alerts?state=open")
27+
28+ # 3. Filter locally using jq
29+ # Note: If you want to force a test on OLD alerts, remove '| select(.created_at > $TIME)' below
30+ ALERTS=$(echo "$RAW_DATA" | jq --arg TIME "$TIME_THRESHOLD" \
31+ '[ .[] | select(.created_at > $TIME) | select(.security_advisory.severity == "critical" or .security_advisory.severity == "high") ]')
32+
33+ # 4. Check results (COMMENTED OUT FOR TESTING)
34+ # LENGTH=$(echo "$ALERTS" | jq 'length')
35+ # if [ "$LENGTH" -eq 0 ]; then
36+ # echo "No new alerts found in the last hour."
37+ # exit 0
38+ # fi
2839
29- # 3. Check if any alerts were found
40+ echo "New alerts detected! Debugging structure..."
3041
42+ # --- DEBUG: Print the first alert keys to logs ---
43+ echo "Top-level keys found in first alert:"
44+ echo "$ALERTS" | jq '.[0] | keys'
45+ # -----------------------------------------------
46+
47+ # 5. Extract details (Using Try/Catch defaults to prevent crash)
48+ # We use // to provide fallback text if the field is null
49+ PACKAGE=$(echo "$ALERTS" | jq -r '.[0].dependency.package.name // "Unknown Package"')
50+ SEVERITY=$(echo "$ALERTS" | jq -r '.[0].security_advisory.severity // "Unknown Severity"')
3151
32- # 4. Extract details from the first alert found
33- # Now valid because ALERTS is an array, so .[0] exists
34- PACKAGE=$(echo "$ALERTS" | jq -r '.[0] | .dependency.package.name')
35- SEVERITY=$(echo "$ALERTS" | jq -r '.[0] | .security_advisory.severity')
52+ # Try standard html_url, fallback to url, fallback to generic string
53+ ISSUE_URL=$(echo "$ALERTS" | jq -r '.[0].html_url // .[0].url // "https://github.com"')
3654
55+ # Prepare text
3756 REPO_NAME="${{ github.repository }}"
3857 ISSUE_TITLE="${PACKAGE} (${SEVERITY})"
3958 ISSUE_USER="Dependabot"
40- ISSUE_URL=$(echo "$ALERTS" | jq -r '.[0] | .html_url')
41-
42- # 5. Build Message
59+
60+ # 6. Build Slack Message
4361 MESSAGE_TEXT=$(jq -n \
4462 --arg repo "$REPO_NAME" \
4563 --arg title "$ISSUE_TITLE" \
4866 --arg template "*📢 New Dependabot Alert ($REPO_NAME) 📢*\n\n*Issue Title:* $ISSUE_TITLE\n*Opened By:* $ISSUE_USER\n\n*View Issue:* $ISSUE_URL" \
4967 '$template')
5068
51- # 6 . Build Payload
69+ # 7 . Build Payload & Send
5270 SLACK_PAYLOAD=$(jq -n \
5371 --arg text "$MESSAGE_TEXT" \
5472 '{
5876 "text": $text
5977 }')
6078
61- # 7. Send to Slack
6279 curl -X POST \
6380 -H 'Content-type: application/json' \
6481 --data "$SLACK_PAYLOAD" \
0 commit comments