docs-sample-apps/.github/workflows/Security-Notification.yml at main · mongodb/docs-sample-apps · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
name: Security Vulnerability Slack Notification

on:
  schedule:
    # Runs every hour at minute 0
    - cron: '0 * * * *'
  # Allows you to test manually
  workflow_dispatch:

jobs:
  check-alerts:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Check for New Alerts
        env:
          GH_TOKEN: ${{ secrets.DEPENDABOT_PAT }}
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
        run: |
          # 1. Calculate time 65 minutes ago
          TIME_THRESHOLD=$(date -u -d '65 minutes ago' +'%Y-%m-%dT%H:%M:%SZ')
          echo "Checking for alerts created after: $TIME_THRESHOLD"

          # 2. Fetch Open Alerts
          RAW_DATA=$(gh api "/repos/${{ github.repository }}/dependabot/alerts?state=open")

          # 3. Filter for NEW items only
          # Open alerts created > 65 mins ago
           ALERTS=$(echo "$RAW_DATA" | jq --arg TIME "$TIME_THRESHOLD" \
            '[ .[] | select(.state == "open") | select(.created_at > $TIME) ]')

          # --- FOR TESTING ONLY ---
          # ALERTS=$(echo "$RAW_DATA" | jq '[ .[] | select(.state == "open") ]')
          # ---------------------------------------------------------------

          # 4. Check count
          LENGTH=$(echo "$ALERTS" | jq 'length')
          if [ "$LENGTH" -eq 0 ]; then
             echo "::notice:: No new alerts found in the last hour."
             exit 0
          fi

          echo "Found $LENGTH new alert(s). Sending notifications..."
          REPO_NAME="${{ github.repository }}"
          ISSUE_USER="Dependabot"

          # 5. LOOP through each alert
          echo "$ALERTS" | jq -c '.[]' | while read -r alert; do

            # Extract details
            SUMMARY=$(echo "$alert" | jq -r '.security_advisory.summary // "Security Vulnerability"')
            PACKAGE=$(echo "$alert" | jq -r '.dependency.package.name // "Unknown Package"')
            SEVERITY=$(echo "$alert" | jq -r '.security_advisory.severity // "Unknown"')
            ISSUE_URL=$(echo "$alert" | jq -r '.html_url // .url // "https://github.com"')

            # Format Title
            ISSUE_TITLE="${SUMMARY} - ${PACKAGE} (${SEVERITY})"

            echo "Sending alert for: $PACKAGE"

            # Build Slack Message Text
            # FIX: We construct the string INSIDE jq using "\(...)" interpolation.
            # FIX: We use -r (raw output) so the variable stores actual newlines, not escaped \n
            MESSAGE_TEXT=$(jq -nr \
              --arg repo "$REPO_NAME" \
              --arg title "$ISSUE_TITLE" \
              --arg user "$ISSUE_USER" \
              --arg url "$ISSUE_URL" \
              '"*🚨 New Dependabot Alert (\($repo)) 🚨*\n\n*Issue Title:* \($title)\n*Opened By:* \($user)\n\n*View Issue:* \($url)"')

            # Build JSON Payload
            # We pass the raw MESSAGE_TEXT into this new jq command, which handles the escaping correctly for JSON.
            SLACK_PAYLOAD=$(jq -n \
              --arg text "$MESSAGE_TEXT" \
              '{
                "channel": "#docs-devdocs-notifications",
                "username": "Security Vulnerability Slack Notification",
                "icon_emoji": ":rotating_light:",
                "text": $text
              }')

            # Send to Slack
            curl -s -X POST \
                 -H 'Content-type: application/json' \
                 --data "$SLACK_PAYLOAD" \
                 "$SLACK_WEBHOOK_URL"

            sleep 1
          done