-
Notifications
You must be signed in to change notification settings - Fork 1
/
analyze-reports.yml
77 lines (68 loc) · 3.31 KB
/
analyze-reports.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
##############################################################################
# Manual GitHub Actions workflow which analyzes the Code Scanning alerts for
# a period of time and generates Markdown output. Optionally, the workflow
# can automatically re-open all of the retrieved alerts.
##############################################################################
name: Alerts Report
on:
workflow_dispatch:
inputs:
state:
type: choice
description: State
required: true
default: dismissed
options:
- open
- closed
- dismissed
timeframe:
type: choice
description: Data retrieval timeframe
required: true
default: "1 month"
options:
- 24 hours
- 48 hours
- 1 week
- 1 month
reopen-dismissed:
type: boolean
description: Reopen dismissed alerts
required: true
default: false
jobs:
analyze:
runs-on: ubuntu-latest
steps:
# Define an environment variable that represents the start date for retrieving alerts
- run: echo "START_DATE=$(date -d '-${{ inputs.timeframe }}' --iso-8601='minutes')" >> $GITHUB_ENV
# Define an environment variable for the path to a file that will be used to capture the alerts
- run: echo "ALERTS_PATH=${{ runner.temp}}/alerts.json" >> $GITHUB_ENV
# Using the GH CLI (authenticated with the GITHUB_TOKEN), query the scanning alerts in the requested
# state (open/closed/dismissed) and save a subset of the details to the temporary file for further
# processing and evaluation. Use --paginate to ensure we get all of the records.
- run: |
gh api -X GET repos/${{ github.repository }}/code-scanning/alerts -f after="${{ env.START_DATE }}" \
--paginate -f state=${{ inputs.state }} \
--jq '[.[] | { id: .number, state, url, dismissed_by : .dismissed_by.login , rule: .rule.id, severity: .rule.severity, level: .rule.security_severity_level }]' >> ${{ env.ALERTS_PATH }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# For demonstration purposes only, output the contents of the file.
- run: cat $ALERTS_PATH
# Convert the JSON-formatted alert details to a Markdown table and save the
# results to the Step Summary for display.
- run: |
echo "| ID | State | Dismissed By | Severity | Level |" >> $GITHUB_STEP_SUMMARY
echo "| -- | ----- | ------------ | -------- | ----- |" >> $GITHUB_STEP_SUMMARY
jq '.[] | @text "| \(.id) | \(.state) | \(.dismissed_by) | \(.severity) | \(.level) |"' -r $ALERTS_PATH >> $GITHUB_STEP_SUMMARY
# If the report is a list of dismissed alerts AND if the user has chosen to reopen those alerts,
# use a Bash script and the GH CLI to re-open each alert
- if: ${{ inputs.state == 'dismissed' && inputs.reopen-dismissed }}
run: |
for row in $(jq -r '.[] | @base64' $ALERTS_PATH); do
echo $( echo "$row" | base64 --decode | jq -r '.url' );
gh api --method PATCH -H "Accept: application/vnd.github.v3+json" \
"/repos/${{ github.repository }}/code-scanning/alerts/$( echo "$row" | base64 --decode | jq -r '.id' )" -f state='open'
done