Security Monitoring #11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Security Monitoring | |
on: | |
schedule: | |
- cron: '0 16 * * *' | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.run_id }} | |
cancel-in-progress: true | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: read # This is required for actions/checkout | |
jobs: | |
check-dependabot-alerts: | |
runs-on: ubuntu-latest | |
outputs: | |
dependabot_alert_status: ${{ steps.check-dependabot-alerts.outputs.dependabot_alert_status }} | |
steps: | |
- name: Check for dependabot alerts | |
id: check-dependabot-alerts | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea | |
with: | |
github-token: ${{ secrets.GH_PAT }} | |
script: | | |
async function checkAlerts() { | |
const owner = '${{ github.repository_owner }}'; | |
const repo = '${{ github.event.repository.name }}'; | |
const dependabotAlerts = await github.rest.dependabot.listAlertsForRepo({ | |
owner, | |
repo, | |
headers: { | |
'accept': 'applications/vnd.github+json' | |
} | |
}); | |
const activeDependabotAlerts = dependabotAlerts.data.filter(alert => alert.state === 'open'); | |
core.setOutput('dependabot_alert_status', activeDependabotAlerts.length > 0 ? '1': '0'); | |
} | |
await checkAlerts(); | |
check-code-scanning-alerts: | |
runs-on: ubuntu-latest | |
outputs: | |
code_scanning_alert_status: ${{ steps.check-code-scanning-alerts.outputs.code_scanning_alert_status }} | |
steps: | |
- name: Check for security alerts for public repository | |
id: check-code-scanning-alerts | |
if: github.event.repository.visibility == 'public' | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea | |
with: | |
github-token: ${{ secrets.GH_PAT }} | |
script: | | |
async function checkAlerts() { | |
const owner = '${{ github.repository_owner }}'; | |
const repo = '${{ github.event.repository.name }}'; | |
const ref = 'refs/heads/main'; | |
const codeScanningAlerts = await github.rest.codeScanning.listAlertsForRepo({ | |
owner, | |
repo, | |
ref: ref | |
}); | |
const activeCodeScanningAlerts = codeScanningAlerts.data.filter(alert => alert.state === 'open'); | |
return activeCodeScanningAlerts.length > 0 ? '1': '0'; | |
} | |
await checkAlerts(); | |
- name: Set code scanning alerts output | |
id: set-code-scanning-alerts-output | |
run: | | |
if ${{ github.event.repository.visibility == 'public' }}; then | |
echo "code_scanning_alert_status=${{ steps.check-code-scanning-alerts.outputs.result }}" >> $GITHUB_OUTPUT | |
else | |
echo "code_scanning_alert_status=0" >> $GITHUB_OUTPUT | |
fi | |
put-metric-data: | |
runs-on: ubuntu-latest | |
needs: [check-dependabot-alerts, check-code-scanning-alerts] | |
steps: | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@12e3392609eaaceb7ae6191b3f54bbcb85b5002b | |
with: | |
role-to-assume: ${{ secrets.RUNNER_ROLE_ARN }} | |
aws-region: us-west-2 | |
- name: Put Dependabot Alert Metric Data | |
run: | | |
if [ "${{ needs.check-dependabot-alerts.outputs.dependabot_alert_status }}" == "1" ]; then | |
aws cloudwatch put-metric-data --metric-name DependabotAlert --namespace SecurityMonitoringMetrics --value 1 --unit Count --dimensions ProjectName=sagemaker-hyperpod-recipes | |
else | |
aws cloudwatch put-metric-data --metric-name DependabotAlert --namespace SecurityMonitoringMetrics --value 0 --unit Count --dimensions ProjectName=sagemaker-hyperpod-recipes | |
fi | |
- name: Put Code Scanning Alert Metric Data | |
run: | | |
if [ "${{ needs.check-code-scanning-alerts.outputs.code_scanning_alert_status }}" == "1" ]; then | |
aws cloudwatch put-metric-data --metric-name CodeScanningAlert --namespace SecurityMonitoringMetrics --value 1 --unit Count --dimensions ProjectName=sagemaker-hyperpod-recipes | |
else | |
aws cloudwatch put-metric-data --metric-name CodeScanningAlert --namespace SecurityMonitoringMetrics --value 0 --unit Count --dimensions ProjectName=sagemaker-hyperpod-recipes | |
fi |