microsoft/hve-core
Publicmirrored fromhttps://github.com/microsoft/hve-coreAvailable
.github/skills/github/gh-code-scanning/scripts/get-code-scanning-alerts.sh
88lines · modecode
| 1 | #!/usr/bin/env bash |
| 2 | # Copyright (c) Microsoft Corporation. |
| 3 | # SPDX-License-Identifier: MIT |
| 4 | # |
| 5 | # get-code-scanning-alerts.sh |
| 6 | # Retrieves and groups GitHub code scanning alerts for a repository. |
| 7 | # |
| 8 | # Usage: |
| 9 | # ./get-code-scanning-alerts.sh -o OWNER -r REPO [-b BRANCH] [-s SEVERITY] |
| 10 | # |
| 11 | # Prerequisites: |
| 12 | # - gh CLI installed and authenticated with security_events scope |
| 13 | # - jq installed |
| 14 | |
| 15 | set -euo pipefail |
| 16 | |
| 17 | OWNER='' |
| 18 | REPO='' |
| 19 | BRANCH='main' |
| 20 | SEVERITY='' |
| 21 | |
| 22 | usage() { |
| 23 | echo "Usage: $0 -o OWNER -r REPO [-b BRANCH] [-s SEVERITY]" >&2 |
| 24 | echo " -o Repository owner (required)" >&2 |
| 25 | echo " -r Repository name (required)" >&2 |
| 26 | echo " -b Branch name (default: main)" >&2 |
| 27 | echo " -s Filter by security severity (critical, high, medium, low)" >&2 |
| 28 | exit 1 |
| 29 | } |
| 30 | |
| 31 | while getopts ':o:r:b:s:' opt; do |
| 32 | case "$opt" in |
| 33 | o) OWNER="$OPTARG" ;; |
| 34 | r) REPO="$OPTARG" ;; |
| 35 | b) BRANCH="$OPTARG" ;; |
| 36 | s) SEVERITY="$OPTARG" ;; |
| 37 | *) usage ;; |
| 38 | esac |
| 39 | done |
| 40 | |
| 41 | if [[ -z "$OWNER" || -z "$REPO" ]]; then |
| 42 | echo "Error: -o OWNER and -r REPO are required." >&2 |
| 43 | usage |
| 44 | fi |
| 45 | |
| 46 | if [[ ! "$OWNER" =~ ^[a-zA-Z0-9._-]+$ ]]; then |
| 47 | echo "Error: -o OWNER contains invalid characters." >&2; exit 1 |
| 48 | fi |
| 49 | if [[ ! "$REPO" =~ ^[a-zA-Z0-9._-]+$ ]]; then |
| 50 | echo "Error: -r REPO contains invalid characters." >&2; exit 1 |
| 51 | fi |
| 52 | if [[ ! "$BRANCH" =~ ^[a-zA-Z0-9._/-]+$ ]]; then |
| 53 | echo "Error: -b BRANCH contains invalid characters." >&2; exit 1 |
| 54 | fi |
| 55 | if [[ -n "$SEVERITY" && ! "$SEVERITY" =~ ^(critical|high|medium|low)$ ]]; then |
| 56 | echo "Error: -s SEVERITY must be critical, high, medium, or low." >&2; exit 1 |
| 57 | fi |
| 58 | |
| 59 | if ! command -v gh &>/dev/null; then |
| 60 | echo "Error: gh CLI not found. Install from https://cli.github.com" >&2 |
| 61 | exit 1 |
| 62 | fi |
| 63 | |
| 64 | if ! command -v jq &>/dev/null; then |
| 65 | echo "Error: jq not found. Install from https://jqlang.github.io/jq/" >&2 |
| 66 | exit 1 |
| 67 | fi |
| 68 | |
| 69 | if ! gh auth status &>/dev/null; then |
| 70 | echo "Error: gh CLI not authenticated. Run 'gh auth login' and ensure security_events scope." >&2 |
| 71 | exit 1 |
| 72 | fi |
| 73 | |
| 74 | URL="repos/${OWNER}/${REPO}/code-scanning/alerts?state=open&ref=refs/heads/${BRANCH}&per_page=100" |
| 75 | |
| 76 | if [[ -n "$SEVERITY" ]]; then |
| 77 | URL="${URL}&severity=${SEVERITY}" |
| 78 | fi |
| 79 | |
| 80 | GH_PAGER='' gh api "$URL" --paginate --jq '.[]' | \ |
| 81 | jq -s 'group_by(.rule.description) | map({ |
| 82 | RuleDescription: .[0].rule.description, |
| 83 | RuleId: .[0].rule.id, |
| 84 | Tool: .[0].tool.name, |
| 85 | SecuritySeverity: .[0].rule.security_severity_level, |
| 86 | Count: length, |
| 87 | SamplePaths: ([.[].most_recent_instance.location.path] | unique | sort) |
| 88 | }) | sort_by(-.Count)' |
| 89 | |