Sync Secureframe tests to GitHub issues:
- Opens Github issues when a test fails
- Updates Github issues when test details change
- Closes Github issues when a test passes or is disabled
secureframe-issue-sync is designed to be used as a scheduled task, in particular GitHub Actions.
NOTE: This is using an undocumented Secureframe GraphQL API, so it may suddenly break. PR's welcome.
- A GitHub API token (preferably fine-grained for just issue management)
- A Secureframe API token (findable via browser headers)
- A Secureframe Company ID (findable via browser headers)
As Secureframe does not yet have a public API, you'll need to grab the latter two bits of information using your browser's Developer Tools functionality.
- Visit https://app.secureframe.com/
- Enter your browser's "Developer Tools" feature
- Click on the Console tab.
- Type
sessionStorage.getItem("AUTH_TOKEN");and press . This will show your auth token. - Type
sessionStorage.getItem("CURRENT_COMPANY_USER");and press . This will show your company ID.
NOTE: For a proper long-lived API token, see https://developer.secureframe.com/#section/Authentication - This tool understands long-lived tokens in the form of " ".
go install github.com/chainguard-dev/secureframe-issue-sync@latestTo build and install this tool, run:
secureframe-issue-sync --secureframe-token=<token> \
--company=<company id> \
--reports=soc2_alpha \
--github-token=<token> \
--github-repo=chainguard-dev/xyz`There is a --dry-run flag available, which will pretend to make changes to GitHub instead of performing them.
You can also pass flags via environment variables, such as SECUREFRAME_TOKEN=xyz.
In production, you're going to want to schedule the sync job to run every hour or so. Since you are already on GitHub, why not use GitHub Actions to do it?
See https://github.com/chainguard-dev/secureframe-issue-sync/blob/main/github-action.yaml for an example.