-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
- Loading branch information
1 parent
fef9942
commit 932c184
Showing
1 changed file
with
122 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,122 @@ | ||
name: Security Monitoring | ||
|
||
on: | ||
schedule: | ||
- cron: '0 9 * * *' | ||
|
||
concurrency: | ||
group: ${{ github.workflow }}-${{ github.run_id }} | ||
cancel-in-progress: true | ||
|
||
permissions: | ||
id-token: write | ||
|
||
jobs: | ||
check-code-scanning-alerts: | ||
runs-on: ubuntu-latest | ||
outputs: | ||
code_scanning_alert_status: ${{ steps.check-code-scanning-alerts.outputs.code_scanning_alert_status }} | ||
steps: | ||
- name: Check for security alerts | ||
id: check-code-scanning-alerts | ||
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea | ||
with: | ||
github-token: ${{ secrets.GH_PAT }} | ||
script: | | ||
async function checkAlerts() { | ||
const owner = '${{ github.repository_owner }}'; | ||
const repo = '${{ github.event.repository.name }}'; | ||
const ref = 'refs/heads/master'; | ||
const codeScanningAlerts = await github.rest.codeScanning.listAlertsForRepo({ | ||
owner, | ||
repo, | ||
ref: ref | ||
}); | ||
const activeCodeScanningAlerts = codeScanningAlerts.data.filter(alert => alert.state === 'open'); | ||
core.setOutput('code_scanning_alert_status', activeCodeScanningAlerts.length > 0 ? '1': '0'); | ||
} | ||
await checkAlerts(); | ||
check-dependabot-alerts: | ||
runs-on: ubuntu-latest | ||
outputs: | ||
dependabot_alert_status: ${{ steps.check-dependabot-alerts.outputs.dependabot_alert_status }} | ||
steps: | ||
- name: Check for dependabot alerts | ||
id: check-dependabot-alerts | ||
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea | ||
with: | ||
github-token: ${{ secrets.GH_PAT }} | ||
script: | | ||
async function checkAlerts() { | ||
const owner = '${{ github.repository_owner }}'; | ||
const repo = '${{ github.event.repository.name }}'; | ||
const dependabotAlerts = await github.rest.dependabot.listAlertsForRepo({ | ||
owner, | ||
repo, | ||
headers: { | ||
'accept': 'applications/vnd.github+json' | ||
} | ||
}); | ||
const activeDependabotAlerts = dependabotAlerts.data.filter(alert => alert.state === 'open'); | ||
core.setOutput('dependabot_alert_status', activeDependabotAlerts.length > 0 ? '1': '0'); | ||
} | ||
await checkAlerts(); | ||
check-secret-scanning-alerts: | ||
runs-on: ubuntu-latest | ||
outputs: | ||
secret_scanning_alert_status: ${{ steps.check-secret-scanning-alerts.outputs.secret_scanning_alert_status }} | ||
steps: | ||
- name: Check for secret scanning alerts | ||
id: check-secret-scanning-alerts | ||
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea | ||
with: | ||
github-token: ${{ secrets.GH_PAT }} | ||
script: | | ||
async function checkAlerts() { | ||
const owner = '${{ github.repository_owner }}'; | ||
const repo = '${{ github.event.repository.name }}'; | ||
const secretScanningAlerts = await github.rest.secretScanning.listAlertsForRepo({ | ||
owner, | ||
repo, | ||
}); | ||
const activeSecretScanningAlerts = secretScanningAlerts.data.filter(alert => alert.state === 'open'); | ||
core.setOutput('secret_scanning_alert_status', activeSecretScanningAlerts.length > 0 ? '1': '0'); | ||
console.log("Active Secret Scanning Alerts", activeSecretScanningAlerts); | ||
} | ||
await checkAlerts(); | ||
put-metric-data: | ||
runs-on: ubuntu-latest | ||
needs: [check-code-scanning-alerts, check-dependabot-alerts, check-secret-scanning-alerts] | ||
steps: | ||
- name: Configure AWS Credentials | ||
uses: aws-actions/configure-aws-credentials@12e3392609eaaceb7ae6191b3f54bbcb85b5002b | ||
with: | ||
role-to-assume: ${{ secrets.MONITORING_ROLE_ARN }} | ||
aws-region: us-west-2 | ||
- name: Put Code Scanning Alert Metric Data | ||
run: | | ||
if [ "${{ needs.check-code-scanning-alerts.outputs.code_scanning_alert_status }}" == "1" ]; then | ||
aws cloudwatch put-metric-data --metric-name CodeScanningAlert --namespace SecurityMonitoringMetrics --value 1 --unit Count --dimensions ProjectName=sagemaker-python-sdk | ||
else | ||
aws cloudwatch put-metric-data --metric-name CodeScanningAlert --namespace SecurityMonitoringMetrics --value 0 --unit Count --dimensions ProjectName=sagemaker-python-sdk | ||
fi | ||
- name: Put Dependabot Alert Metric Data | ||
run: | | ||
if [ "${{ needs.check-dependabot-alerts.outputs.dependabot_alert_status }}" == "1" ]; then | ||
aws cloudwatch put-metric-data --metric-name DependabotAlert --namespace SecurityMonitoringMetrics --value 1 --unit Count --dimensions ProjectName=sagemaker-python-sdk | ||
else | ||
aws cloudwatch put-metric-data --metric-name DependabotAlert --namespace SecurityMonitoringMetrics --value 0 --unit Count --dimensions ProjectName=sagemaker-python-sdk | ||
fi | ||
- name: Put Secret Scanning Alert Metric Data | ||
run: | | ||
if [ "${{ needs.check-secret-scanning-alerts.outputs.secret_scanning_alert_status }}" == "1" ]; then | ||
aws cloudwatch put-metric-data --metric-name SecretScanningAlert --namespace SecurityMonitoringMetrics --value 1 --unit Count --dimensions ProjectName=sagemaker-python-sdk | ||
else | ||
aws cloudwatch put-metric-data --metric-name SecretScanningAlert --namespace SecurityMonitoringMetrics --value 0 --unit Count --dimensions ProjectName=sagemaker-python-sdk | ||
fi |