Merge pull request #266 from ministryofjustice/slack-secret-scanning-…

…integration Slack - Github secret scanning integration action
ministryofjustice · Sep 4, 2024 · e633262 · e633262
2 parents 8e1bfc9 + bc2ffe3
commit e633262
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -12,6 +12,7 @@ A collection of GitHub Actions.
 | [malformed-yaml](malformed-yaml)                                 | Reject a PR if it contains malformed YAML files                  |
 | [terraform-static-analysis](terraform-static-analysis)           | Runs TFSec, Checkov and TFlint against Terraform                 |
 | [setup-container-structure-test](setup-container-structure-test) | Installs Google's Container Structure Test                       |
+| [slack-github-secret-scanning-integration](slack-github-secret-scanning-integration) | A Github Action to get alerts from github secret scanning and send them to Slack                       |
 
 <!-- markdownlint-enable MD013 -->
 

diff --git a/slack-github-secret-scanning-integration/README.md b/slack-github-secret-scanning-integration/README.md
@@ -0,0 +1,18 @@
+# Slack - GitHub Secrets Scanning Alerts Integration
+
+A GitHub Action to forward alerts from GitHub secret scanning and send them to Slack.
+
+## Usage
+
+```
+      - uses: ministryofjustice/github-actions/[email protected]
+        with:
+          github-token: ${{ secrets.SECRET_SCANNING_GitHub_TOKEN }}
+          slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
+```
+
+| Parameter                                                           | Description                                                      | Required                                                     | Default                                                     |
+| ---------------------------------------------------------------- | ---------------------------------------------------------------- | ---------------------------------------------------------------- | ---------------------------------------------------------------- |
+| frequency                                | Get secret scanning alerts that have occurred in this period prior to this action running | false | 24 hours |
+| github-token                              | [GitHub token with access to secret scanning](https://docs.github.com/en/rest/secret-scanning/secret-scanning?apiVersion=2022-11-28#list-secret-scanning-alerts-for-a-repository)                 | true | NA |
+| slack-webhook-url           | Incoming Slack webhook url for channel that you want to send alerts to                | true | NA |
diff --git a/slack-github-secret-scanning-integration/action.yml b/slack-github-secret-scanning-integration/action.yml
@@ -0,0 +1,60 @@
+name: "Slack - GitHub Secret Scanning Alerts Integration"
+description: "A GitHub Action to get alerts from GitHub secret scanning and send them to Slack"
+inputs:
+  github-token:
+    description: "GitHub token with access to secret scanning"
+    required: true
+  slack-webhook-url:
+    description: "Incoming Slack webhook url for channel that you want to send alerts to"
+    required: true
+  frequency:
+    description: "Get secret scanning alerts that have occurred in this period prior to this action running"
+    required: false
+    default: 24
+runs:
+  using: "composite"
+  steps:
+      - name: Secret Scanning Alerts
+        id: secret-scanning
+        uses: advanced-security/secret-scanning-notifications@v1
+        with:
+          token: ${{ inputs.github-token}}
+          frequency: ${{ inputs.frequency }}
+          scope: 'repository'
+          new_alerts_filepath: 'new_alerts.json'
+          closed_alerts_filepath: 'closed_alerts.json'
+
+      - name: Check number of new alerts
+        shell: bash
+        id: get-new-alerts
+        run: echo "new_alerts=$(jq 'length' new_alerts.json)" >> "$GITHUB_OUTPUT"
+
+      - name: Convert json to plaintext
+        shell: bash
+        if: ${{ steps.get-new-alerts.outputs.new_alerts > 0}}
+        id: json-to-plaintext
+        run: |
+          echo "new-alerts=$(jq -r '.[] | "- \(.secret_type_display_name): \(.html_url)"' new_alerts.json)" >> "$GITHUB_OUTPUT"
+
+      - name: Send notification to Slack
+        id: slack
+        if: ${{ steps.json-to-plaintext.outcome == 'success' }}
+        uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 #v1.24.0
+        with:
+          payload: |
+            {
+                "text": "New GitHub Secret Scanning Alerts Detected:\n\n${{ steps.json-to-plaintext.outputs.new-alerts }}"
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ inputs.slack-webhook-url }}
+          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
+
+      - name: Report failure to Slack
+        if: always()
+        uses: ravsamhq/notify-slack-action@472601e839b758e36c455b5d3e5e1a217d4807bd # 2.5.0
+        with:
+          status: ${{ job.status }}
+          notify_when: "failure"
+          notification_title: "Failed to check for low GitHub actions minutes"
+        env:
+          SLACK_WEBHOOK_URL: ${{ inputs.slack-webhook-url }}