Last active
October 21, 2021 03:48
-
-
Save mvasilenko/912a59122f7662b2c3963280bd48b7fb to your computer and use it in GitHub Desktop.
GitHub security - list open dependabot alerts with critical/high severities
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import argparse | |
| import requests | |
| import os | |
| import sys | |
| import yaml | |
| headers = {"Authorization": "token {}".format( | |
| os.environ.get('GITHUB_ADMIN_ORG_READ_TOKEN', ''))} | |
| def run_query(query, variables): | |
| request = requests.post('https://api.github.com/graphql', | |
| json={'query': query, 'variables': variables}, headers=headers) | |
| if request.status_code == 200: | |
| return request.json()['data'] | |
| else: | |
| raise Exception("Query failed to run by returning code of {}. {}".format( | |
| request.status_code, query)) | |
| def getDependencyAlerts(repo_owner, repo_name): | |
| query = ''' | |
| query($repo_owner: String!, $repo_name: String!, $after: String ) { | |
| repository(owner: $repo_owner , name: $repo_name ) { | |
| vulnerabilityAlerts(first:100, after: $after ) { | |
| totalCount | |
| nodes { | |
| id | |
| createdAt | |
| dismissReason | |
| dismissedAt | |
| dismisser{ | |
| login | |
| } | |
| securityAdvisory{ | |
| description | |
| ghsaId | |
| identifiers{ | |
| type | |
| value | |
| } | |
| origin | |
| publishedAt | |
| severity | |
| } | |
| securityVulnerability{ | |
| package{ | |
| ecosystem | |
| name | |
| } | |
| } | |
| vulnerableManifestFilename | |
| vulnerableManifestPath | |
| vulnerableRequirements | |
| } | |
| pageInfo{ | |
| hasNextPage | |
| endCursor | |
| } | |
| } | |
| } | |
| } | |
| ''' | |
| variables = { | |
| "repo_owner": repo_owner, | |
| "repo_name": repo_name, | |
| "after": None | |
| } | |
| totalCount = None | |
| alerts = [] | |
| while True: | |
| data = run_query(query, variables)['repository']['vulnerabilityAlerts'] | |
| totalCount = data['totalCount'] | |
| alerts.extend(data['nodes']) | |
| if data['pageInfo']['hasNextPage']: | |
| variables["after"] = data['pageInfo']['endCursor'] | |
| else: | |
| break | |
| if len(alerts) == totalCount: | |
| return alerts | |
| else: | |
| raise Exception('graphql call not functioning properly,') | |
| if __name__ == '__main__': | |
| argparser = argparse.ArgumentParser() | |
| argparser.add_argument('-o', '--organization', | |
| help='GitHub organization name', | |
| required=True) | |
| argparser.add_argument('-r', '--repository', | |
| help='GitHub repository name', | |
| required=True) | |
| args = argparser.parse_args() | |
| alerts = getDependencyAlerts(args.organization, args.repository) | |
| print(f"Found {len(alerts)} open Dependabot security alerts in {args.repository} repository") | |
| i = 0 | |
| for alert in alerts: | |
| if alert.get('securityAdvisory').get('severity') in ['CRITICAL', 'HIGH']: | |
| print(f"\n--- ALERT {i} ---\n") | |
| print(yaml.dump(alert, allow_unicode=True, default_flow_style=False)) | |
| i += 1 | |
| if i > 0: | |
| print(f"------\n{i} from {len(alerts)} open alerts have Critical/High Severity, please review/fix them") | |
| sys.exit(i) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment