Security Monitoring #73
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Security Monitoring | |
on: | |
schedule: | |
- cron: '0 16 * * *' | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.run_id }} | |
cancel-in-progress: true | |
permissions: | |
id-token: write | |
jobs: | |
check-dependabot-alerts: | |
runs-on: ubuntu-latest | |
outputs: | |
dependabot_alert_status: ${{ steps.check-dependabot-alerts.outputs.dependabot_alert_status }} | |
steps: | |
- name: Check for dependabot alerts | |
id: check-dependabot-alerts | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea | |
with: | |
github-token: ${{ secrets.GH_PAT }} | |
script: | | |
async function checkAlerts() { | |
const owner = '${{ github.repository_owner }}'; | |
const repo = '${{ github.event.repository.name }}'; | |
const dependabotAlerts = await github.rest.dependabot.listAlertsForRepo({ | |
owner, | |
repo, | |
headers: { | |
'accept': 'applications/vnd.github+json' | |
} | |
}); | |
const activeDependabotAlerts = dependabotAlerts.data.filter(alert => alert.state === 'open'); | |
core.setOutput('dependabot_alert_status', activeDependabotAlerts.length > 0 ? '1': '0'); | |
} | |
await checkAlerts(); | |
check-code-scanning-alerts: | |
runs-on: ubuntu-latest | |
outputs: | |
code_scanning_alert_status: ${{ steps.check-code-scanning-alerts.outputs.code_scanning_alert_status }} | |
steps: | |
- name: Check for security alerts | |
id: check-code-scanning-alerts | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea | |
with: | |
github-token: ${{ secrets.GH_PAT }} | |
script: | | |
async function checkAlerts() { | |
const owner = '${{ github.repository_owner }}'; | |
const repo = '${{ github.event.repository.name }}'; | |
const ref = 'refs/heads/main'; | |
const codeScanningAlerts = await github.rest.codeScanning.listAlertsForRepo({ | |
owner, | |
repo, | |
ref: ref | |
}); | |
const activeCodeScanningAlerts = codeScanningAlerts.data.filter(alert => alert.state === 'open'); | |
core.setOutput('code_scanning_alert_status', activeCodeScanningAlerts.length > 0 ? '1': '0'); | |
} | |
await checkAlerts(); | |
put-metric-data: | |
runs-on: ubuntu-latest | |
needs: [check-dependabot-alerts, check-code-scanning-alerts] | |
steps: | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@12e3392609eaaceb7ae6191b3f54bbcb85b5002b | |
with: | |
role-to-assume: ${{ secrets.MONITORING_ROLE_ARN }} | |
aws-region: us-west-2 | |
- name: Put Dependabot Alert Metric Data | |
run: | | |
if [ "${{ needs.check-dependabot-alerts.outputs.dependabot_alert_status }}" == "1" ]; then | |
aws cloudwatch put-metric-data --metric-name DependabotAlert --namespace SecurityMonitoringMetrics --value 1 --unit Count --dimensions ProjectName=sagemaker-hyperpod-cli | |
else | |
aws cloudwatch put-metric-data --metric-name DependabotAlert --namespace SecurityMonitoringMetrics --value 0 --unit Count --dimensions ProjectName=sagemaker-hyperpod-cli | |
fi | |
- name: Put Code Scanning Alert Metric Data | |
run: | | |
if [ "${{ needs.check-code-scanning-alerts.outputs.code_scanning_alert_status }}" == "1" ]; then | |
aws cloudwatch put-metric-data --metric-name CodeScanningAlert --namespace SecurityMonitoringMetrics --value 1 --unit Count --dimensions ProjectName=sagemaker-hyperpod-cli | |
else | |
aws cloudwatch put-metric-data --metric-name CodeScanningAlert --namespace SecurityMonitoringMetrics --value 0 --unit Count --dimensions ProjectName=sagemaker-hyperpod-cli | |
fi |