Created
November 3, 2021 14:09
-
-
Save mva-verbit/357bdacaab7c087cd5a36e6e3d2fabb8 to your computer and use it in GitHub Desktop.
Revisions
-
mva-verbit created this gist
Nov 3, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,141 @@ #!/bin/bash set -e REQUIREMENTS="gh" for CMD in ${REQUIREMENTS};do if ! command -v $CMD &> /dev/null then echo "Please install $CMD" exit 1 fi done help() { cat <<-EOF list your security alerts USAGE $ gh-alerts [-h | --help] [<package>] OPTIONS -o, --org show alerts at org level -h, --help show the help EXAMPLES $ gh-alerts pyyaml PACKAGE SEVERITY MANIFEST pyyaml high severity requirements.txt pyyaml high severity requirements.txt EOF } while [ "$1" != "" ] do case $1 in -o | --org ) shift OWNER="$1" ;; -h | --help ) help exit 0 ;; * ) PACKAGE="$1" ;; esac shift done QUERY=' query($owner: String!, $repo: String!, $endCursor: String) { repository(owner: $owner, name: $repo) { vulnerabilityAlerts(first: 100, after: $endCursor) { nodes { createdAt dismissReason dismissedAt dismisser { login, name } securityAdvisory { summary, permalink } securityVulnerability { package { name } severity } vulnerableManifestPath vulnerableRequirements }, pageInfo { hasNextPage endCursor } } } } ' TEMPLATE=" {{- range .data.repository.vulnerabilityAlerts.nodes -}} {{- if or (not \"${PACKAGE}\") (eq .securityVulnerability.package.name \"${PACKAGE}\") -}} {{- if eq .securityVulnerability.severity \"CRITICAL\" -}} {{- tablerow .securityVulnerability.package.name (autocolor \"red\" \"critical severity\") .vulnerableManifestPath -}} {{- else if eq .securityVulnerability.severity \"HIGH\" -}} {{- tablerow .securityVulnerability.package.name (autocolor \"magenta\" \"high severity\") .vulnerableManifestPath -}} {{- end}} {{- end}} {{- end -}} " ORG_QUERY=' query($owner: String!, $endCursor: String) { organization (login: $owner) { repositories(first: 100, after: $endCursor) { nodes { vulnerabilityAlerts(first: 100, after: $endCursor) { nodes { createdAt dismissReason dismissedAt dismisser { login, name } repository { nameWithOwner } securityAdvisory { summary, permalink } securityVulnerability { package { name } severity } vulnerableManifestPath vulnerableRequirements } } }, pageInfo { hasNextPage endCursor } } } } ' ORG_TEMPLATE=' {{- range $repo := .data.organization.repositories.nodes -}} {{- range .vulnerabilityAlerts.nodes -}} {{- if eq .securityVulnerability.severity "CRITICAL" -}} {{- tablerow .repository.nameWithOwner .securityVulnerability.package.name (autocolor "red" "critical severity") .vulnerableManifestPath -}} {{- else if eq .securityVulnerability.severity "HIGH" -}} {{- tablerow .repository.nameWithOwner .securityVulnerability.package.name (autocolor "magenta" "high severity") .vulnerableManifestPath -}} {{- end -}} {{- end -}} {{- end -}} ' gh_auth() { echo ${GITHUB_ADMIN_ORG_READ_TOKEN} >gh-token.txt gh auth login --with-token <gh-token.txt rm gh-token.txt } if [ -n "$OWNER" ] then gh_auth exec gh api graphql --paginate -F owner="${OWNER}" -f query="${ORG_QUERY}" --template="${ORG_TEMPLATE}" | grep "${OWNER}/${PACKAGE}" else exec gh api graphql --paginate -F owner=":owner" -F repo=":repo" -f query="${QUERY}" --template="${TEMPLATE}" fi