Home - kunalnagarco/action-cve GitHub Wiki

marketing

@kunalnagarco/action-cve

A GitHub action that sends Dependabot Vulnerability Alerts to multiple sources:

Slack
Microsoft Teams
PagerDuty
Zenduty
Email

Usage

name: 'Check for Vulnerabilities'

on:
  schedule:
    - cron: '0 */6 * * *' # every 6 hours

jobs:
  main:
    runs-on: ubuntu-latest
    steps:
      # X.X.X - Latest version available at: https://github.com/kunalnagarco/action-cve/releases
      - uses: kunalnagarco/[email protected]
        with:
          token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
          org: ${{ secrets.ORG_NAME }}
          enterprise: ${{ secrets.ENTERPRISE_NAME }}
          slack_webhook: ${{ secrets.SLACK_WEBHOOK }}
          pager_duty_integration_key: ${{ secrets.PAGER_DUTY_INTEGRATION_KEY }}
          zenduty_integration_key: ${{ secrets.ZENDUTY_INTEGRATION_KEY }}
          # zenduty_api_key: ${{ secrets.ZENDUTY_API_KEY }}         # deprecated
          # zenduty_service_id: ${{ secrets.ZENDUTY_SERVICE_ID }}   # deprecated
          # zenduty_escalation_policy_id: ${{ secrets.ZENDUTY_ESCALATION_POLICY_ID }} # deprecated
          microsoft_teams_webhook: ${{ secrets.MICROSOFT_TEAMS_WEBHOOK }}
          email_from: [email protected]
          email_list: [email protected],[email protected]
          email_subject: My Custom Email Subject
          email_transport_ses_region: ${{ secrets.AWS_SES_REGION }}
          email_transport_ses_access_key_id: ${{ secrets.AWS_SES_ACCESS_KEY_ID }}
          email_transport_ses_secret_access_key: ${{ secrets.AWS_SES_SECRET_ACCESS_KEY }}
          email_transport_smtp_host: smtp.gmail.com
          email_transport_smtp_port: 587
          email_transport_smtp_user: [email protected]
          email_transport_smtp_password: smtpPassword
          count: 10
          severity: low,medium
          ecosystem: npm,pip
          ignore: lodash,axios

Action Inputs

Input	Description
`token`	[Required] GitHub Personal Access Token. Create one here
`org`	Org name to support Org level alerts. More info here
`enterprise`	Enterprise name to support Enterprise level alerts. More info here
`slack_webhook`	Slack Incoming Webhook URL. More info here
`pager_duty_integration_key`	Pager Duty Service Integration Key. Also known as Routing key. More info here
`zenduty_integration_key`	Zenduty Integration Key (preferred). Create a Generic Integration in your Zenduty service. More info on the Send alerts to Zenduty page
`zenduty_api_key`	(Deprecated) Zenduty API Key. Use `zenduty_integration_key` instead
`zenduty_service_id`	(Deprecated) Zenduty Service ID, required with `zenduty_api_key`. More info here
`zenduty_escalation_policy_id`	(Deprecated) Zenduty Escalation Policy ID, required with `zenduty_api_key`. More info here
`count`	Number of alerts to send. Defaults to `20`
`severity`	Comma separated list of severities. E.g. low,medium,high,critical (NO SPACES BETWEEN COMMA AND SEVERITY)
`email_from`	Email from address
`email_list`	Comma-separated list of emails to send the notification to as bcc
`email_subject`	Custom email subject (not required, default is provided)
`email_transport_ses_region`	AWS SES region e.g. `us-east-1`. More info on the Send alerts to email page
`email_transport_ses_access_key_id`	AWS SES Access Key ID
`email_transport_ses_secret_access_key`	AWS SES Secret Access Key
`email_transport_smtp_host`	SMTP host (default: `smtp.gmail.com`)
`email_transport_smtp_port`	SMTP port (default: `587` for TLS, use `465` for STARTTLS)
`email_transport_smtp_user`	SMTP Username
`email_transport_smtp_password`	SMTP Password
`ecosystem`	Comma-separated list of ecosystems to filter alerts by. E.g. `npm,pip` (NO SPACES BETWEEN COMMA AND ECOSYSTEM)
`ignore`	Comma-separated list of package names to suppress alerts for. E.g. `lodash,axios` (NO SPACES BETWEEN COMMA AND PACKAGE NAME)
`microsoft_teams_webhook`	Create an incoming webhook here

Generating a GitHub Personal Access Token in an org

If you're using this action in an org where people are always joining/leaving, you can use a GitHub action to generate the token that requires you to set up a GitHub application. Here's one way to set this up:

- name: Get Token
  id: get_workflow_token
  uses: peter-murray/workflow-application-token-action@v1
  with:
    application_id: ${{ secrets.YOUR_APP_ID }}
    application_private_key: ${{ secrets.YOUR_APP_PRIVATE_KEY }}

- uses: kunalnagarco/[email protected]
  with:
    token: ${{ steps.get_workflow_token.outputs.token }}

Attributions

Bug icon: Made by Freepik from https://www.flaticon.com/