@kunalnagarco/action-cve
An Open Source GitHub action that sends Dependabot Security Alerts to Slack and PagerDuty.
Inspiration
GitHub has a webhook event called repository_vulnerability_alert that is triggered when a vulnerability is discovered on a repository/organization. Unfortunately, there’s no documentation (that I could find) to watch for this event in a GitHub action and send it to alerting platforms.
I created this GitHub action that can be run on a CRON schedule (every 6 hours is recommended).
Installation
There are a few things you need to setup on the repository before this action can be used:
-
Enable Dependabot Alerts for the repository.
-
Create a GitHub Personal Access Token and add it to the repository’s secrets.
-
For Slack, you’d want to send these alerts to a dedicated channel. Create a Webhook URL for the channel and add it to the repository’s secrets. You may also use the Incoming Webhooks Slack app that makes it a lot easier.
For PagerDuty, the action will send an Alert Event which should create a new Incident with an
infoseverity. -
Create a new GitHub action:
For more documentation, please check out the Wiki.
Support
If you find a bug, please open an issue.