Skip to content

Instantly share code, notes, and snippets.

@mva-verbit

mva-verbit/gh-alerts.sh

Created November 3, 2021 14:09
Show Gist options
  • Save mva-verbit/357bdacaab7c087cd5a36e6e3d2fabb8 to your computer and use it in GitHub Desktop.
Save mva-verbit/357bdacaab7c087cd5a36e6e3d2fabb8 to your computer and use it in GitHub Desktop.
Download ZIP
display open GitHub Security Alerts with high/critical severity
Raw
gh-alerts.sh
#!/bin/bash
set -e
REQUIREMENTS="gh"
for CMD in ${REQUIREMENTS};do
if ! command -v $CMD &> /dev/null
then
echo "Please install $CMD"
exit 1
fi
done
help() {
cat <<-EOF
list your security alerts
USAGE
$ gh-alerts [-h | --help] [<package>]
OPTIONS
-o, --org show alerts at org level
-h, --help show the help
EXAMPLES
$ gh-alerts pyyaml
PACKAGE SEVERITY MANIFEST
pyyaml high severity requirements.txt
pyyaml high severity requirements.txt
EOF
}
while [ "$1" != "" ]
do
case $1 in
-o | --org ) shift
OWNER="$1"
;;
-h | --help ) help
exit 0
;;
* ) PACKAGE="$1"
;;
esac
shift
done
QUERY='
query($owner: String!, $repo: String!, $endCursor: String) {
repository(owner: $owner, name: $repo) {
vulnerabilityAlerts(first: 100, after: $endCursor) {
nodes {
createdAt
dismissReason
dismissedAt
dismisser { login, name }
securityAdvisory { summary, permalink }
securityVulnerability {
package { name }
severity
}
vulnerableManifestPath
vulnerableRequirements
},
pageInfo {
hasNextPage
endCursor
}
}
}
}
'
TEMPLATE="
{{- range .data.repository.vulnerabilityAlerts.nodes -}}
{{- if or (not \"${PACKAGE}\") (eq .securityVulnerability.package.name \"${PACKAGE}\") -}}
{{- if eq .securityVulnerability.severity \"CRITICAL\" -}}
{{- tablerow .securityVulnerability.package.name (autocolor \"red\" \"critical severity\") .vulnerableManifestPath -}}
{{- else if eq .securityVulnerability.severity \"HIGH\" -}}
{{- tablerow .securityVulnerability.package.name (autocolor \"magenta\" \"high severity\") .vulnerableManifestPath -}}
{{- end}}
{{- end}}
{{- end -}}
"
ORG_QUERY='
query($owner: String!, $endCursor: String) {
organization (login: $owner) {
repositories(first: 100, after: $endCursor) {
nodes {
vulnerabilityAlerts(first: 100, after: $endCursor) {
nodes {
createdAt
dismissReason
dismissedAt
dismisser { login, name }
repository { nameWithOwner }
securityAdvisory { summary, permalink }
securityVulnerability {
package { name }
severity
}
vulnerableManifestPath
vulnerableRequirements
}
}
},
pageInfo {
hasNextPage
endCursor
}
}
}
}
'
ORG_TEMPLATE='
{{- range $repo := .data.organization.repositories.nodes -}}
{{- range .vulnerabilityAlerts.nodes -}}
{{- if eq .securityVulnerability.severity "CRITICAL" -}}
{{- tablerow .repository.nameWithOwner .securityVulnerability.package.name (autocolor "red" "critical severity") .vulnerableManifestPath -}}
{{- else if eq .securityVulnerability.severity "HIGH" -}}
{{- tablerow .repository.nameWithOwner .securityVulnerability.package.name (autocolor "magenta" "high severity") .vulnerableManifestPath -}}
{{- end -}}
{{- end -}}
{{- end -}}
'
gh_auth() {
echo ${GITHUB_ADMIN_ORG_READ_TOKEN} >gh-token.txt
gh auth login --with-token <gh-token.txt
rm gh-token.txt
}
if [ -n "$OWNER" ]
then
gh_auth
exec gh api graphql --paginate -F owner="${OWNER}" -f query="${ORG_QUERY}" --template="${ORG_TEMPLATE}" | grep "${OWNER}/${PACKAGE}"
else
exec gh api graphql --paginate -F owner=":owner" -F repo=":repo" -f query="${QUERY}" --template="${TEMPLATE}"
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment