Created
October 21, 2021 06:45
-
-
Save mva-verbit/449ac21aec87c3982d032e8d47bca8d7 to your computer and use it in GitHub Desktop.
GitHub dependabot list critical/high alerts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import argparse | |
| import requests | |
| import os | |
| import sys | |
| import yaml | |
| headers = {"Authorization": "token {}".format( | |
| os.environ.get('GITHUB_ADMIN_ORG_READ_TOKEN', ''))} | |
| def run_query(query, variables): | |
| request = requests.post('https://api.github.com/graphql', | |
| json={'query': query, 'variables': variables}, headers=headers) | |
| if request.status_code == 200: | |
| return request.json()['data'] | |
| else: | |
| raise Exception("Query failed to run by returning code of {}. {}".format( | |
| request.status_code, query)) | |
| def getDependencyAlerts(repo_owner, repo_name): | |
| query = ''' | |
| query($repo_owner: String!, $repo_name: String!, $after: String ) { | |
| repository(owner: $repo_owner , name: $repo_name ) { | |
| vulnerabilityAlerts(first:100, after: $after ) { | |
| totalCount | |
| nodes { | |
| id | |
| createdAt | |
| dismissReason | |
| dismissedAt | |
| dismisser{ | |
| login | |
| } | |
| securityAdvisory{ | |
| description | |
| ghsaId | |
| identifiers{ | |
| type | |
| value | |
| } | |
| origin | |
| publishedAt | |
| severity | |
| } | |
| securityVulnerability{ | |
| package{ | |
| ecosystem | |
| name | |
| } | |
| } | |
| vulnerableManifestFilename | |
| vulnerableManifestPath | |
| vulnerableRequirements | |
| } | |
| pageInfo{ | |
| hasNextPage | |
| endCursor | |
| } | |
| } | |
| } | |
| } | |
| ''' | |
| variables = { | |
| "repo_owner": repo_owner, | |
| "repo_name": repo_name, | |
| "after": None | |
| } | |
| totalCount = None | |
| alerts = [] | |
| while True: | |
| data = run_query(query, variables)['repository']['vulnerabilityAlerts'] | |
| totalCount = data['totalCount'] | |
| alerts.extend(data['nodes']) | |
| if data['pageInfo']['hasNextPage']: | |
| variables["after"] = data['pageInfo']['endCursor'] | |
| else: | |
| break | |
| if len(alerts) == totalCount: | |
| return alerts | |
| else: | |
| raise Exception('graphql call not functioning properly,') | |
| if __name__ == '__main__': | |
| argparser = argparse.ArgumentParser() | |
| argparser.add_argument('-o', '--organization', | |
| help='GitHub organization name', | |
| default='verbit-ai', | |
| required=False) | |
| argparser.add_argument('-r', '--repository', | |
| help='GitHub repository name', | |
| required=True) | |
| args = argparser.parse_args() | |
| alerts = getDependencyAlerts(args.organization, args.repository) | |
| print(f"Found {len(alerts)} open Dependabot security alerts in {args.repository} repository") | |
| i = 0 | |
| for alert in alerts: | |
| if alert.get('securityAdvisory').get('severity') in ['CRITICAL', 'HIGH']: | |
| print(f"\n--- ALERT {i} ---\n") | |
| print(yaml.dump(alert, allow_unicode=True, default_flow_style=False)) | |
| i += 1 | |
| if i > 0: | |
| print(f"------\n{i} from {len(alerts)} open alerts have Critical/High Severity, please review/fix them") | |
| sys.exit(i) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment