feat: Add inputs for manifest_paths and slack_channel

action.yml

@@ -12,6 +12,10 @@ inputs:
     description: 'Microsoft Teams Channel Webhook URL. More info: https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-incoming-webhook'
   slack_webhook:
     description: 'Slack Webhook URL. More info: https://api.slack.com/messaging/webhooks'
+  slack_channel:
+    description: 'Explicit channel for Slack webhook. If omitted, the channel configured in the webhook is used.'
+    required: false
+    default: ''
   pager_duty_integration_key:
     description: 'Pager Duty Integration Key. More info: https://support.pagerduty.com/docs/services-and-integrations'
   zenduty_api_key:
@@ -43,6 +47,8 @@ inputs:
     description: 'Comma separated list of severities. E.g. low,medium,high,critical (NO SPACES BETWEEN COMMA AND SEVERITY)'
   ecosystem:
     description: 'A comma-separated list of ecosystems. If specified, only alerts for these ecosystems will be returned.'
+  manifest_paths:
+    description: 'Multi-line list of manifest paths. If specified, only alerts for these manifests will be sent.'
 branding:
   icon: 'alert-octagon'
   color: 'red'

src/destinations/slack.ts

@@ -35,6 +35,7 @@ const createAlertBlock = (alert: Alert): KnownBlock => ({
     text: `
 *Package:* ${alert.packageName}
 *Repository:* ${getFullRepositoryNameFromAlert(alert)}
+*Manifest path:* ${alert.manifestPath}
 *Vulnerability Version Range:* ${alert.vulnerability?.vulnerableVersionRange}
 *Patched Version:* ${alert.vulnerability?.firstPatchedVersion}
 *Severity:* ${alert.advisory?.severity}
@@ -61,9 +62,12 @@ export const validateSlackWebhookUrl = (url: string): boolean => {
 
 export const sendAlertsToSlack = async (
   webhookUrl: string,
+  channel: string,
   alerts: Alert[],
 ): Promise<void> => {
-  const webhook = new IncomingWebhook(webhookUrl)
+  const webhook = new IncomingWebhook(webhookUrl, {
+    channel,
+  })
   const alertBlocks: KnownBlock[] = []
   alerts.forEach((alert) => {
     alertBlocks.push(createAlertBlock(alert))

src/entities/alert.ts

@@ -10,6 +10,7 @@ export type DependabotAlert =
 export interface Alert {
   repository: Repository
   packageName: string
+  manifestPath?: string
   advisory?: Advisory
   vulnerability?: Vulnerability
   createdAt: string
@@ -25,6 +26,7 @@ export const toRepositoryAlert = (
     owner: repositoryOwner,
   },
   packageName: dependabotAlert.security_vulnerability.package.name || '',
+  manifestPath: dependabotAlert.dependency.manifest_path,
   advisory: dependabotAlert.security_advisory
     ? toAdvisory(dependabotAlert.security_advisory)
     : undefined,
@@ -43,6 +45,7 @@ export const toOrgAlert = (dependabotOrgAlert: DependabotOrgAlert): Alert => ({
     owner: dependabotOrgAlert.repository.owner.login,
   },
   packageName: dependabotOrgAlert.security_vulnerability.package.name || '',
+  manifestPath: dependabotOrgAlert.dependency.manifest_path,
   advisory: dependabotOrgAlert.security_advisory
     ? toAdvisory(dependabotOrgAlert.security_advisory)
     : undefined,
@@ -64,6 +67,7 @@ export const toEnterpriseAlert = (
   },
   packageName:
     dependabotEnterpriseAlert.security_vulnerability.package.name || '',
+  manifestPath: dependabotEnterpriseAlert.dependency.manifest_path,
   advisory: dependabotEnterpriseAlert.security_advisory
     ? toAdvisory(dependabotEnterpriseAlert.security_advisory)
     : undefined,

src/main.ts

@@ -1,4 +1,4 @@
-import { getInput, setFailed } from '@actions/core'
+import { getInput, getMultilineInput, setFailed } from '@actions/core'
 import { context } from '@actions/github'
 
 import {
@@ -23,6 +23,7 @@ async function run(): Promise<void> {
     const enterprise = getInput('enterprise')
     const microsoftTeamsWebhookUrl = getInput('microsoft_teams_webhook')
     const slackWebhookUrl = getInput('slack_webhook')
+    const slackChannel = getInput('slack_channel')
     const pagerDutyIntegrationKey = getInput('pager_duty_integration_key')
     const zenDutyApiKey = getInput('zenduty_api_key')
     const zenDutyServiceId = getInput('zenduty_service_id')
@@ -39,12 +40,19 @@ async function run(): Promise<void> {
     const count = parseInt(getInput('count'))
     const severity = getInput('severity')
     const ecosystem = getInput('ecosystem')
+    const manifestPaths = getMultilineInput('manifest_paths')
 
-    let alerts: Alert[] = []
+    let fetchedAlerts: Alert[] = []
     if (org) {
-      alerts = await fetchOrgAlerts(token, org, severity, ecosystem, count)
+      fetchedAlerts = await fetchOrgAlerts(
+        token,
+        org,
+        severity,
+        ecosystem,
+        count,
+      )
     } else if (enterprise) {
-      alerts = await fetchEnterpriseAlerts(
+      fetchedAlerts = await fetchEnterpriseAlerts(
         token,
         org,
         severity,
@@ -53,7 +61,7 @@ async function run(): Promise<void> {
       )
     } else {
       const { owner, repo } = context.repo
-      alerts = await fetchRepositoryAlerts(
+      fetchedAlerts = await fetchRepositoryAlerts(
         token,
         repo,
         owner,
@@ -62,6 +70,16 @@ async function run(): Promise<void> {
         count,
       )
     }
+    const alerts =
+      manifestPaths.length > 0
+        ? fetchedAlerts.filter(
+            (alert) =>
+              alert.manifestPath &&
+              manifestPaths.some(
+                (manifestPath) => manifestPath === alert.manifestPath,
+              ),
+          )
+        : fetchedAlerts
     if (alerts.length > 0) {
       if (microsoftTeamsWebhookUrl) {
         await sendAlertsToMicrosoftTeams(microsoftTeamsWebhookUrl, alerts)
@@ -70,7 +88,7 @@ async function run(): Promise<void> {
         if (!validateSlackWebhookUrl(slackWebhookUrl)) {
           setFailed(new Error('Invalid Slack Webhook URL'))
         } else {
-          await sendAlertsToSlack(slackWebhookUrl, alerts)
+          await sendAlertsToSlack(slackWebhookUrl, slackChannel, alerts)
         }
       }
       if (pagerDutyIntegrationKey) {