Skip to content
Kunal Nagar edited this page Aug 6, 2024 · 16 revisions

marketing

@kunalnagarco/action-cve

A GitHub action that sends Dependabot Vulnerability Alerts to multiple sources:

  • Slack
  • Microsoft Teams
  • PagerDuty
  • Zenduty
  • Email

Usage

name: 'Check for Vulnerabilities'

on:
  schedule:
    - cron: '0 */6 * * *' # every 6 hours

jobs:
  main:
    runs-on: ubuntu-latest
    steps:
      # X.X.X - Latest version available at: https://github.com/kunalnagarco/action-cve/releases
      - uses: kunalnagarco/action-cve@vX.X.X
        with:
          token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
          org: ${{ secrets.ORG_NAME }}
          enterprise: ${{ secrets.ENTERPRISE_NAME }}
          slack_webhook: ${{ secrets.SLACK_WEBHOOK }}
          pager_duty_integration_key: ${{ secrets.PAGER_DUTY_INTEGRATION_KEY }}
          zenduty_api_key: ${{ secrets.ZENDUTY_API_KEY }}
          zenduty_service_id: ${{ secrets.ZENDUTY_SERVICE_ID }}
          zenduty_escalation_policy_id: ${{ secrets.ZENDUTY_ESCALATION_POLICY_ID }}
          microsoft_teams_webhook: ${{ secrets.MICROSOFT_TEAMS_WEBHOOK }}
          email_from: from@email.com
          email_list: channelOne@email.com,channelTwo@email.com
          email_subject: My Custom Email Subject
          email_transport_smtp_port: 1003
          email_transport_smtp_user: smtpUser@email.com
          email_transport_smtp_password: smtpPassword
          count: 10
          severity: low,medium

Action Inputs

Input Description
token [Required] GitHub Personal Access Token. Create one here
org Org name to support Org level alerts. More info here
enterprise Enterprise name to support Enterprise level alerts. More info here
slack_webhook Slack Incoming Webhook URL. More info here
pager_duty_integration_key Pager Duty Service Integration Key. Also known as Routing key. More info here
zenduty_api_key Create a Zenduty API Key by visiting Account Settings > API Keys
zenduty_service_id Zenduty Service ID. More info here
zenduty_escalation_policy_id Zenduty Escalation Policy ID. More info here
count Number of alerts to send. Defaults to 20
severity Comma separated list of severities. E.g. low,medium,high,critical (NO SPACES BETWEEN COMMA AND SEVERITY)
email_from Email from address
email_list Comma-separated list of emails to send the notification to as bcc
email_subject Custom email subject (not required, default is provided)
email_transport_smtp_port Custom SMTP port (not required, default is 587 for TLS, send 465 for STARTTLS or any custom port)
email_transport_smtp_user SMTP Username
email_transport_smtp_password SMTP Password
microsoft_teams_webhook Create an incoming webhook here

Generating a GitHub Personal Access Token in an org

If you're using this action in an org where people are always joining/leaving, you can use a GitHub action to generate the token that requires you to set up a GitHub application. Here's one way to set this up:

- name: Get Token
  id: get_workflow_token
  uses: peter-murray/workflow-application-token-action@v1
  with:
    application_id: ${{ secrets.YOUR_APP_ID }}
    application_private_key: ${{ secrets.YOUR_APP_PRIVATE_KEY }}

- uses: kunalnagarco/action-cve@v1.7.13
  with:
    token: ${{ steps.get_workflow_token.outputs.token }}

Attributions