GitHub Action
GitHub Security Alert Export
This project exports GitHub code scanning, secret scanning, and dependabot security alerts to JSON.
Create a workflow (eg: .github/workflows/security-export.yml
). See Creating a Workflow file.
You will need to create a PAT(Personal Access Token) that has the appropriate scope.
Add this PAT as a secret so we can use it as input github-token
, see Creating encrypted secrets for a repository.
If your organization has SAML enabled you must authorize the PAT, see Authorizing a personal access token for use with SAML single sign-on.
You can pass enterprise
, organization
, or repository
to scope the export.
name: Export Security Alerts
on:
workflow_dispatch:
jobs:
run:
name: Export
runs-on: ubuntu-latest
steps:
- uses: austenstone/security-export@main
id: export
with:
github-token: ${{ secrets.PAT }}
organization: octodemo
- run: |
echo "$DEPENDABOT"
echo "$CODE_SCANNING"
echo "$SECRET_SCANNING"
env:
DEPENDABOT: ${{ steps.export.outputs.dependabot }}
CODE_SCANNING: ${{ steps.export.outputs.code-scanning }}
SECRET_SCANNING: ${{ steps.export.outputs.secret-scanning }}
You can export to CSV using the austenstone/json-to-csv action.
Note
The output of this action might exceed the maximum size of inputs/outputs. In that case leverage the generated artifact as shown in the example.
name: Export Security Alerts
on:
workflow_dispatch:
jobs:
run:
name: Export
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ./
id: export
with:
github-token: ${{ secrets.PAT }}
repository: octodemo/vulnerable-node
- uses: austenstone/json-to-csv@main
with:
json-artifact-name: ${{ steps.export.outputs.artifact-name }}
create-artifact: true
artifact-name: "GitHub Security Alerts CSV"
code-scanning-query-parameters: '{ "severity": "critical", "state": "open" }'
secret-scanning-query-parameters: '{ "state": "open" }'
dependabot-query-parameters: '{ "severity": "critical", "state": "open" }'
We create an artifact by default, you can disable this by setting create-artifact
to false
. Modify the artifact-name
to change the name of the artifact.
create-artifact: true
artifact-name: "GitHub Security Alerts"
Access the artifact via the output variable ${{ steps[*].export.outputs.artifact-name }}
.
Various inputs are defined in action.yml
:
Name | Description | Default |
---|---|---|
github‑token | Token to use to authorize. | ${{ github.token }} |
enterprise | The GitHub Enterprise | N/A |
organization | The GitHub organization | N/A |
repository | The GitHub repository | ${{ github.repository }} |
code-scanning | Whether to export code scanning alerts | true |
code-scanning-query-parameters | Query parameters as JSON Ex: {"state": dismissed} | N/A |
secret-scanning | Whether to export secret scanning alerts | true |
secret-scanning-query-parameters | Query parameters as JSON | N/A |
dependabot | Whether to export dependabot alerts | true |
dependabot-query-parameters | Query parameters as JSON Ex: {"state": dismissed} | N/A |
create-artifact | Whether to create an artifact | true |
Name | Description |
---|---|
dependabot | Dependabot alerts as a JSON string |
code-scanning | Code scanning alerts as a JSON string |
secret-scanning | Secret scanning alerts as a JSON string |
artifact-name | The name of the artifact |
To get more help on the Actions see documentation.