Skip to content

Instantly share code, notes, and snippets.

@captn3m0

captn3m0/README.md

Created June 30, 2021 10:05
Show Gist options
  • Save captn3m0/8806a2b7943657c39cc42502560a0f9f to your computer and use it in GitHub Desktop.
Save captn3m0/8806a2b7943657c39cc42502560a0f9f to your computer and use it in GitHub Desktop.
Download ZIP
Grant Security Alert Permission on GitHub Org Script
Raw
README.md
  1. Set your Cookie header value in Line 3 of give-access.sh
  2. Set the team IDs that will have access on Line 24. You can add multiple teams.
  3. Edit the repos.txt file with one repository per line
  4. Make sure jq curl and pup are installed. (pup is available at https://github.com/EricChiang/pup)
  5. Run the script (./give-access.sh). A response code of 302 indicates the change was made successfully for that repo. Anything else is failure.

The only 3 cookies that you need to set are: __Host-user_session_same_site, user_session, _gh_sess

The values for user_session and _gh_sess are the same.

Raw
give-access.sh
#!/bin/bash
COOKIE=""
function give_access() {
# Get Authenticity Token
curl --silent --request GET \
--url "https://github.com/$1/settings/security_analysis" \
-H "cookie: $COOKIE" \ > /tmp/repo-settings.html
CSRF_TOKEN=$(cat /tmp/repo-settings.html | pup '.js-protected-branch-settings input[name=authenticity_token] attr{value}')
# echo "Got authenticity_token as $CSRF_TOKEN"
token=$(printf %s "$CSRF_TOKEN"|jq -sRr @uri)
# echo $token
sleep 0.5
CURL_STATUS=$(curl "https://github.com/$1/settings/alerts" \
-H 'authority: github.com' \
-H 'origin: https://github.com' \
-H 'content-type: application/x-www-form-urlencoded' \
-H "referer: https://github.com/$1/settings/security_analysis" \
-H "cookie: $COOKIE" \
--data-raw "_method=put&authenticity_token=$token&vulnerability_team_ids%5B%5D=1234&vulnerability_team_ids%5B%5D=5678" --silent \
-o /dev/null --write-out '%{http_code}\n' \
--compressed)
echo "$CURL_STATUS $1"
}
while IFS= read -r LINE; do
give_access $LINE
done < repos.txt
Raw
repos.txt
org/repo1
org/repo2
org/repo3
@Rishi16royy
Copy link

@captn3m0 I am getting 302 after running this script but when I go to github UI then i don't see the desired team have access to security alerts.

@captn3m0
Copy link
Author

Ran this a while back so i can't say for sure. Make the same change from the UI and see what's the difference in the final curl command? Maybe GitHub has changed things since in the UI.

@Rishi16royy
Copy link

It is working now. We need to pass the exact userID instead of teamID.

@Rishi16royy
Copy link

Thanks for writing this script. It helped a lot. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment