Skip to content

Commit

Permalink
d
Browse files Browse the repository at this point in the history
  • Loading branch information
@mirooon
mirooon committed Feb 17, 2025
1 parent ea04d44 commit f03fa4a
Showing 1 changed file with 98 additions and 68 deletions.
166 changes: 98 additions & 68 deletions .github/workflows/securityAlertsReview.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,108 +41,138 @@ jobs:
run: |
echo "Fetching security alerts for PR #${PR_NUMBER}..."
# Fetch security alerts via GitHub API
ALERTS=$(curl -s -H "Authorization: token ${GITHUB_TOKEN}" \
"https://api.github.com/repos/${{ github.repository }}/code-scanning/alerts?pr=${PR_NUMBER}")
echo "Raw API Response: $ALERTS"
# Log raw API response for debugging
echo "Raw API Response:"
echo "$ALERTS"
UNRESOLVED_ALERTS=$(echo "$ALERTS" | jq -c '[.[] | select(.state == "open")]' || echo "[]")
DISMISSED_WITH_COMMENTS=$(echo "$ALERTS" | jq -c '[.[] | select(.state == "dismissed" and (.dismissed_comment != null and .dismissed_comment != ""))]' || echo "[]")
DISMISSED_WITHOUT_COMMENTS=$(echo "$ALERTS" | jq -c '[.[] | select(.state == "dismissed" and (.dismissed_comment == null or .dismissed_comment == ""))]' || echo "[]")
# Ensure valid JSON parsing; default to empty array if parsing fails
UNRESOLVED_ALERTS=$(echo "$ALERTS" | jq -c '[.[] | select(.state == "open") ]' || echo "[]")
DISMISSED_ALERTS=$(echo "$ALERTS" | jq -c '[.[] | select(.state == "dismissed" and (.dismissed_comment == null or .dismissed_comment == ""))]' || echo "[]")
UNRESOLVED_COUNT=$(echo "$UNRESOLVED_ALERTS" | jq -r 'length')
DISMISSED_WITH_COMMENTS_COUNT=$(echo "$DISMISSED_WITH_COMMENTS" | jq -r 'length')
DISMISSED_WITHOUT_COMMENTS_COUNT=$(echo "$DISMISSED_WITHOUT_COMMENTS" | jq -r 'length')
DISMISSED_COUNT=$(echo "$DISMISSED_ALERTS" | jq -r 'length')
# Output for debugging
echo "UNRESOLVED_ALERTS: $UNRESOLVED_ALERTS"
echo "DISMISSED_ALERTS: $DISMISSED_ALERTS"
echo "UNRESOLVED_COUNT: $UNRESOLVED_COUNT"
echo "DISMISSED_COUNT: $DISMISSED_COUNT"
# Save them properly in the environment as single-line JSON
echo "UNRESOLVED_ALERTS=$UNRESOLVED_ALERTS" >> $GITHUB_ENV
echo "DISMISSED_ALERTS=$DISMISSED_ALERTS" >> $GITHUB_ENV
echo "UNRESOLVED_COUNT=$UNRESOLVED_COUNT" >> $GITHUB_ENV
echo "DISMISSED_WITH_COMMENTS_COUNT=$DISMISSED_WITH_COMMENTS_COUNT" >> $GITHUB_ENV
echo "DISMISSED_WITHOUT_COMMENTS_COUNT=$DISMISSED_WITHOUT_COMMENTS_COUNT" >> $GITHUB_ENV
echo "DISMISSED_COUNT=$DISMISSED_COUNT" >> $GITHUB_ENV
- name: Find Existing PR Comment
id: find_comment
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
echo "Searching for existing PR comment..."
COMMENT_ID=$(curl -s -H "Authorization: token ${GITHUB_TOKEN}" \
"https://api.github.com/repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" | jq -r \
'.[] | select(.body | startswith("### 🤖 GitHub Action: Security Alerts Review")) | .id')
if [[ -n "$COMMENT_ID" && "$COMMENT_ID" != "null" ]]; then
echo "EXISTING_COMMENT_ID=$COMMENT_ID" >> $GITHUB_ENV
fi
# (Optional: Add a step here to set EXISTING_COMMENT_ID if updating an existing comment)
echo "Found comment ID: $COMMENT_ID"
- name: Post or Update PR Comment
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
COMMENT_BODY=$'### 🤖 GitHub Action: Security Alerts Review 🔍\n'
COMMENT_BODY=$(echo -e "$COMMENT_BODY")
# Unresolved Alerts
COMMENT_BODY="### 🤖 GitHub Action: Security Alerts Review 🔍\n\n"
# Add Unresolved Alerts
if [[ "$UNRESOLVED_COUNT" -gt 0 ]]; then
COMMENT_BODY+=$'\n## 🚨 Unresolved Security Alerts\n'
COMMENT_BODY+=$'These **must be resolved** before merging:\n\n'
COMMENT_BODY+="🚨 **Unresolved Security Alerts Found!** 🚨\n"
COMMENT_BODY+="The following security alerts must be **resolved** before merging:\n\n"
echo "UNRESOLVED_ALERTS"
echo "$UNRESOLVED_ALERTS"
while IFS= read -r row; do
ALERT_URL=$(echo "$row" | jq -r '.html_url')
ALERT_FILE=$(echo "$row" | jq -r '.most_recent_instance.location.path')
ALERT_DESCRIPTION=$(echo "$row" | jq -r '.most_recent_instance.message.text')
COMMENT_BODY+=$'🔴 **[View Alert]('"$ALERT_URL"')**\n'
COMMENT_BODY+=$'📌 **File:** `'"$ALERT_FILE"'`\n'
COMMENT_BODY+=$'💡 **Issue:** '"$ALERT_DESCRIPTION"$'\n\n'
COMMENT_BODY+="🔴 [View Alert]($ALERT_URL) - **File:** \`$ALERT_FILE\`\n"
COMMENT_BODY+=" 🔹 $ALERT_DESCRIPTION\n\n"
done < <(echo "$UNRESOLVED_ALERTS" | jq -c '.[]')
COMMENT_BODY+=$'⚠️ **Please resolve these alerts before merging.**\n\n'
fi
# Dismissed Alerts With Comments (including DISMISS_REASON)
if [[ "$DISMISSED_WITH_COMMENTS_COUNT" -gt 0 ]]; then
COMMENT_BODY+=$'\n## ✅ Dismissed Alerts with Explanations\n'
COMMENT_BODY+=$'The following alerts were dismissed with valid reasons:\n\n'
while IFS= read -r row; do
ALERT_URL=$(echo "$row" | jq -r '.html_url')
ALERT_FILE=$(echo "$row" | jq -r '.most_recent_instance.location.path')
ALERT_DESCRIPTION=$(echo "$row" | jq -r '.most_recent_instance.message.text')
DISMISS_REASON=$(echo "$row" | jq -r '.dismissed_reason')
DISMISS_COMMENT=$(echo "$row" | jq -r '.dismissed_comment')
# Capitalize the first letter of the dismissal reason
FORMATTED_DISMISS_REASON=$(echo "$DISMISS_REASON" | awk '{print toupper(substr($0,1,1)) substr($0,2)}')
COMMENT_BODY+=$'🟢 **[View Alert]('"$ALERT_URL"')**\n'
COMMENT_BODY+=$'📌 **File:** `'"$ALERT_FILE"'`\n'
COMMENT_BODY+=$'💡 **Issue:** '"$ALERT_DESCRIPTION"$'\n'
COMMENT_BODY+=$'✏️ **Dismissal Reason:** `'${FORMATTED_DISMISS_REASON}'`\n'
COMMENT_BODY+=$'💬 **Comment:** "'"$DISMISS_COMMENT"'"'\n\n'
done < <(echo "$DISMISSED_WITH_COMMENTS" | jq -c '.[]')
COMMENT_BODY+=$'✅ **These alerts were reviewed and dismissed correctly.**\n\n'
COMMENT_BODY+="\n⚠️ **Please resolve these alerts before merging.**\n\n"
fi
# Dismissed Alerts Without Comments
if [[ "$DISMISSED_WITHOUT_COMMENTS_COUNT" -gt 0 ]]; then
COMMENT_BODY+=$'\n## ⚠️ Dismissed Alerts Without Comments\n'
COMMENT_BODY+=$'The following alerts were dismissed without explanations:\n\n'
# Add Dismissed Alerts Without Comments
if [[ "$DISMISSED_COUNT" -gt 0 ]]; then
COMMENT_BODY+="❌ **Some security alerts were dismissed without comments!** ❌\n"
COMMENT_BODY+="The following alerts were dismissed but require a reason:\n\n"
echo "DISMISSED_ALERTS"
echo "$DISMISSED_ALERTS"
while IFS= read -r row; do
ALERT_URL=$(echo "$row" | jq -r '.html_url')
ALERT_FILE=$(echo "$row" | jq -r '.most_recent_instance.location.path')
ALERT_DESCRIPTION=$(echo "$row" | jq -r '.most_recent_instance.message.text')
COMMENT_BODY+=$'⚠️ **[View Alert]('"$ALERT_URL"')**\n'
COMMENT_BODY+=$'📌 **File:** `'"$ALERT_FILE"'`\n'
COMMENT_BODY+=$'💡 **Issue:** '"$ALERT_DESCRIPTION"$'\n\n'
done < <(echo "$DISMISSED_WITHOUT_COMMENTS" | jq -c '.[]')
COMMENT_BODY+=$'⚠️ **Please provide a dismissal reason for these alerts.**\n\n'
fi
echo "COMMENT_BODY:"
echo "$COMMENT_BODY"
COMMENT_BODY+="⚠️ [View Alert]($ALERT_URL) - **File:** \`$ALERT_FILE\`\n"
COMMENT_BODY+=" 🔹 $ALERT_DESCRIPTION\n\n"
done < <(echo "$DISMISSED_ALERTS" | jq -c '.[]')
COMMENT_BODY+="\n⚠️ **Please provide a dismissal reason for these alerts.**\n\n"
fi
# Build JSON payload so that newlines are preserved.
COMMENT_BODY_JSON=$(jq -n --arg body "$COMMENT_BODY" '{body: $body}')
echo "COMMENT_BODY_JSON:"
echo "$COMMENT_BODY_JSON"
# If no unresolved or dismissed alerts without comments, add success message
if [[ "$UNRESOLVED_COUNT" -eq 0 && "$DISMISSED_COUNT" -eq 0 ]]; then
COMMENT_BODY+="✅ **No unresolved security alerts!** 🎉\n\n"
fi
# Determine API URL (update if EXISTING_COMMENT_ID is set)
# Update existing comment if found
if [[ -n "$EXISTING_COMMENT_ID" ]]; then
API_URL="https://api.github.com/repos/${{ github.repository }}/issues/comments/${EXISTING_COMMENT_ID}"
echo "Updating existing comment ID: $EXISTING_COMMENT_ID"
curl -s -X PATCH -H "Authorization: token ${GITHUB_TOKEN}" -H "Content-Type: application/json" \
-d "{\"body\": \"$COMMENT_BODY\"}" \
"https://api.github.com/repos/${{ github.repository }}/issues/comments/${EXISTING_COMMENT_ID}"
else
API_URL="https://api.github.com/repos/${{ github.repository }}/issues/${PR_NUMBER}/comments"
echo "Posting new comment to PR..."
curl -s -X POST -H "Authorization: token ${GITHUB_TOKEN}" -H "Content-Type: application/json" \
-d "{\"body\": \"$COMMENT_BODY\"}" \
"https://api.github.com/repos/${{ github.repository }}/issues/${PR_NUMBER}/comments"
fi
echo "Using API URL: $API_URL"
# Post or update the PR comment using the JSON payload
HTTP_RESPONSE=$(curl -s -o response.json -w "%{http_code}" -X POST \
-H "Authorization: token ${GITHUB_TOKEN}" -H "Content-Type: application/json" \
--data "$COMMENT_BODY_JSON" \
"$API_URL")
- name: Check if Action Should Fail
run: |
echo "🔍 Checking if the workflow should fail based on security alerts..."
echo "HTTP_RESPONSE: $HTTP_RESPONSE"
cat response.json
echo "UNRESOLVED_COUNT"
echo $UNRESOLVED_COUNT
if [[ "$HTTP_RESPONSE" -ne 200 && "$HTTP_RESPONSE" -ne 201 ]]; then
echo "❌ Error: Failed to update PR comment. HTTP Status: $HTTP_RESPONSE"
exit 1
echo "DISMISSED_COUNT"
echo $DISMISSED_COUNT
# If there are unresolved alerts
if [[ "$UNRESOLVED_COUNT" -gt 0 ]]; then
echo "❌ ERROR: $UNRESOLVED_COUNT unresolved security alerts found!"
echo "⚠️ These alerts must be resolved before merging."
exit 1 # Fail the workflow
fi
# If there are dismissed alerts without comments
if [[ "$DISMISSED_COUNT" -gt 0 ]]; then
echo "❌ ERROR: $DISMISSED_COUNT security alerts were dismissed without comments!"
echo "⚠️ Please provide a dismissal reason for these alerts."
exit 1 # Fail the workflow
fi
echo "✅ No security issues found. The workflow will pass successfully."

0 comments on commit f03fa4a

Please sign in to comment.