Update secrets-scanning-report.yml

vmware · Feb 14, 2025 · ca3be75 · ca3be75
1 parent a24877c
commit ca3be75
Showing 1 changed file with 51 additions and 49 deletions.
diff --git a/.github/workflows/secrets-scanning-report.yml b/.github/workflows/secrets-scanning-report.yml
@@ -23,52 +23,54 @@ on:
           - WARNING
           - ERROR
         default: 'INFO'
+      alert_threshold:
+        description: 'Number of active alerts to trigger issue creation'
+        required: false
+        type: number
+        default: 10  # Default threshold
   schedule:
-    - cron: '0 0 * * 1'  # Weekly on Monday at midnight
+    - cron: '0 0 * * 1'
 
 permissions:
-  security-events: read      # Required for secret scanning API
-  contents: read            # Required for checking out code
-  actions: write           # Required for artifact upload
-  issues: write            # Required for creating issues on failure
+  security-events: read
+  contents: read
+  actions: write
+  issues: write
 
 jobs:
   generate-report:
     runs-on: ubuntu-latest
-    
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
           fetch-depth: 1
-          
+
       - name: Set up Python
         uses: actions/setup-python@v4
         with:
-          python-version: '3.11'  # Updated to latest stable Python
+          python-version: '3.11'
           cache: 'pip'
-          cache-dependency-path: scripts/requirements.txt  # Pointing to the 'scripts' directory
-      
+          cache-dependency-path: scripts/requirements.txt
+
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install -r scripts/requirements.txt  # Install dependencies from the 'scripts' directory
+          pip install -r scripts/requirements.txt
 
       - name: Generate timestamp
         id: timestamp
         run: echo "timestamp=$(date +%Y%m%d_%H%M%S)" >> $GITHUB_OUTPUT
-        
+
       - name: Generate Secret Report
         id: generate-report
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           ORGANIZATION: ${{ github.repository_owner }}
           REPORT_FILE: "secret_report_${{ steps.timestamp.outputs.timestamp }}.csv"
         run: |
-          # Create output directory
           mkdir -p reports
-          
-          # Run the scanner with configured parameters
           python ./scripts/github_secret_scanner.py \
             --org "$ORGANIZATION" \
             --token "$GITHUB_TOKEN" \
@@ -77,10 +79,8 @@ jobs:
             --max-workers ${{ inputs.max_workers || 10 }} \
             --max-retries 3 \
             ${{ inputs.include_inactive && '--include-inactive' || '' }}
-            
-          # Save report path for later steps
           echo "report_path=reports/${REPORT_FILE}" >> $GITHUB_OUTPUT
-            
+
       - name: Upload report
         uses: actions/upload-artifact@v4
         if: success()
@@ -89,54 +89,58 @@ jobs:
           path: ${{ steps.generate-report.outputs.report_path }}
           retention-days: 30
           if-no-files-found: error
-
-      - name: Process report statistics
-        if: success()
+
+      - name: Process report statistics (inline)
         id: stats
+        if: success()
         run: |
-          total_alerts=$(python scripts/process_report.py --input ${{ steps.generate-report.outputs.report_path }} --count)
-          active_alerts=$(python scripts/process_report.py --input ${{ steps.generate-report.outputs.report_path }} --active)
-
-          echo "Total alerts found: $total_alerts"
-          echo "Active alerts: $active_alerts"
-          
-          # Save stats for issue creation
-          echo "total_alerts=$total_alerts" >> $GITHUB_OUTPUT
-          echo "active_alerts=$active_alerts" >> $GITHUB_OUTPUT
-          
-      - name: Create summary issue
-        if: success() && ${{ steps.stats.outputs.active_alerts > 10 }}
+          STATS=$(grep "__STATS_START__" ${{ steps.generate-report.outputs.report_path }}/../output.txt | sed 's/__STATS_START__//' | sed 's/__STATS_END__//')
+          echo "total_alerts=$(echo $STATS | cut -d',' -f1 | cut -d'=' -f2)" >> $GITHUB_OUTPUT
+          echo "active_alerts=$(echo $STATS | cut -d',' -f2 | cut -d'=' -f2)" >> $GITHUB_OUTPUT
+          echo "Total alerts found: $(echo $STATS | cut -d',' -f1 | cut -d'=' -f2)"
+          echo "Active alerts: $(echo $STATS | cut -d',' -f2 | cut -d'=' -f2)"
+
+      - name: Create summary issue (using github-script)
+        if: success() && steps.stats.outputs.active_alerts > inputs.alert_threshold
         uses: actions/github-script@v7
         with:
           script: |
             const stats = {
               total: '${{ steps.stats.outputs.total_alerts }}',
               active: '${{ steps.stats.outputs.active_alerts }}'
             };
-            
+
+            const now = new Date();
+            const formattedDate = now.toLocaleDateString('en-US', {
+              year: 'numeric',
+              month: 'long',
+              day: 'numeric'
+            });
+
             const body = `
             # Secret Scanning Report Summary
-            
-            Report generated on: ${new Date().toISOString()}
-            
+
+            Report generated on: ${now.toISOString()}
+
             ## Statistics
             - Total alerts analyzed: ${stats.total}
             - Active alerts found: ${stats.active}
-            
+
             ## Details
             - Report artifact: [Download report](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})
             - Workflow run: [View details](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})
-            
+
             ## Configuration
             - Include inactive alerts: ${{ inputs.include_inactive || 'false' }}
             - Max workers: ${{ inputs.max_workers || '10' }}
             - Log level: ${{ inputs.log_level || 'INFO' }}
+            - Alert threshold: ${{ inputs.alert_threshold || '10'}}
             `;
-            
+
             await github.rest.issues.create({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              title: `📊 Secret Scanning Report - ${new Date().toISOString().split('T')[0]}`,
+              title: \`📊 Secret Scanning Report - \${formattedDate}\`,
               body: body,
               labels: ['secret-scanning', 'report']
             });
@@ -148,33 +152,32 @@ jobs:
           script: |
             const body = `
             # 🚨 Secret Scanning Report Generation Failed
-            
+
             Workflow run failed at ${new Date().toISOString()}
-            
+
             ## Details
             - Run ID: \`${context.runId}\`
             - Trigger: ${context.eventName}
             - Actor: @${context.actor}
-            
+
             ## Links
             - [View run details](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})
             - [View workflow file](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/blob/main/.github/workflows/secret-scanning-report.yml)
-            
+
             Please check the workflow logs for detailed error information.
             `;
-            
+
             await github.rest.issues.create({
               owner: context.repo.owner,
               repo: context.repo.repo,
               title: '🚨 Secret Scanning Report Generation Failed',
               body: body,
               labels: ['secret-scanning', 'failed']
             });
-            
+
       - name: Clean up
         if: always()
         run: |
-          # Securely remove any sensitive files
           if [ -d "reports" ]; then
             find reports -type f -exec shred -u {} \;
             rm -rf reports
@@ -183,4 +186,3 @@ jobs:
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
-