Barazo lexicon schemas and TypeScript types barazo.forum
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

✨ feat(security): add automated security alert system

- Add Dependabot config to auto-create security update PRs
- Add daily workflow to check alerts and create GitHub issues
- Group minor/patch updates, keep major updates separate
- Auto-label security PRs for easy tracking

This enables:
1. Automatic PR creation for vulnerable dependencies
2. Daily consolidated security alert issues
3. Integration with Claude Code via gh CLI

Consistent with gxjansen.github.io security setup

+159
+25
.github/dependabot.yml
··· 1 + version: 2 2 + updates: 3 + # Enable security updates for npm dependencies 4 + - package-ecosystem: "npm" 5 + directory: "/" 6 + schedule: 7 + interval: "weekly" 8 + # Automatically create PRs for security updates 9 + open-pull-requests-limit: 10 10 + # Group minor and patch updates 11 + groups: 12 + dependencies: 13 + patterns: 14 + - "*" 15 + update-types: 16 + - "minor" 17 + - "patch" 18 + # Keep major updates separate for review 19 + ignore: 20 + - dependency-name: "*" 21 + update-types: ["version-update:semver-major"] 22 + # Auto-label PRs 23 + labels: 24 + - "dependencies" 25 + - "security"
+134
.github/workflows/security-alerts.yml
··· 1 + name: Security Alert Check 2 + 3 + on: 4 + schedule: 5 + # Run daily at 9 AM UTC 6 + - cron: '0 9 * * *' 7 + workflow_dispatch: 8 + push: 9 + branches: 10 + - main 11 + paths: 12 + - '.github/workflows/security-alerts.yml' 13 + 14 + permissions: 15 + contents: read 16 + issues: write 17 + security-events: read 18 + 19 + jobs: 20 + check-dependabot-alerts: 21 + runs-on: ubuntu-latest 22 + steps: 23 + - name: Check for open Dependabot alerts 24 + id: check_alerts 25 + run: | 26 + # Fetch open Dependabot alerts 27 + ALERTS=$(gh api "/repos/${{ github.repository }}/dependabot/alerts" \ 28 + --jq '.[] | select(.state=="open") | {number: .number, severity: .security_vulnerability.severity, package: .dependency.package.name, current: .security_vulnerability.vulnerable_version_range, patched: .security_vulnerability.first_patched_version.identifier, summary: .security_advisory.summary, cvss: .security_advisory.cvss.score}') 29 + 30 + # Count alerts by severity 31 + CRITICAL=$(echo "$ALERTS" | jq -s '[.[] | select(.severity=="CRITICAL")] | length') 32 + HIGH=$(echo "$ALERTS" | jq -s '[.[] | select(.severity=="HIGH")] | length') 33 + MODERATE=$(echo "$ALERTS" | jq -s '[.[] | select(.severity=="MODERATE")] | length') 34 + LOW=$(echo "$ALERTS" | jq -s '[.[] | select(.severity=="LOW")] | length') 35 + 36 + TOTAL=$((CRITICAL + HIGH + MODERATE + LOW)) 37 + 38 + echo "total=$TOTAL" >> $GITHUB_OUTPUT 39 + echo "critical=$CRITICAL" >> $GITHUB_OUTPUT 40 + echo "high=$HIGH" >> $GITHUB_OUTPUT 41 + echo "moderate=$MODERATE" >> $GITHUB_OUTPUT 42 + echo "low=$LOW" >> $GITHUB_OUTPUT 43 + 44 + # Save alert details for issue creation 45 + echo "$ALERTS" | jq -s '.' > alerts.json 46 + env: 47 + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 48 + 49 + - name: Create GitHub issue for alerts 50 + if: steps.check_alerts.outputs.total > 0 51 + run: | 52 + # Read alerts 53 + ALERTS=$(cat alerts.json) 54 + 55 + # Build issue body 56 + BODY="## 🔒 Security Alert Summary 57 + 58 + Found **${{ steps.check_alerts.outputs.total }}** open Dependabot alerts: 59 + 60 + " 61 + 62 + if [ "${{ steps.check_alerts.outputs.critical }}" -gt 0 ]; then 63 + BODY+="- 🔴 **Critical**: ${{ steps.check_alerts.outputs.critical }} 64 + " 65 + fi 66 + 67 + if [ "${{ steps.check_alerts.outputs.high }}" -gt 0 ]; then 68 + BODY+="- 🟠 **High**: ${{ steps.check_alerts.outputs.high }} 69 + " 70 + fi 71 + 72 + if [ "${{ steps.check_alerts.outputs.moderate }}" -gt 0 ]; then 73 + BODY+="- 🟡 **Moderate**: ${{ steps.check_alerts.outputs.moderate }} 74 + " 75 + fi 76 + 77 + if [ "${{ steps.check_alerts.outputs.low }}" -gt 0 ]; then 78 + BODY+="- 🟢 **Low**: ${{ steps.check_alerts.outputs.low }} 79 + " 80 + fi 81 + 82 + BODY+=" 83 + ### Alert Details 84 + 85 + " 86 + 87 + # Add each alert as a row in the table 88 + BODY+="| Severity | Package | Vulnerability | Current | Fixed | 89 + |----------|---------|---------------|---------|-------| 90 + " 91 + 92 + echo "$ALERTS" | jq -r '.[] | "| \(.severity) | \(.package) | \(.summary) | \(.current) | \(.patched // "N/A") |"' >> body.txt 93 + 94 + BODY+="$(cat body.txt) 95 + 96 + ### Next Steps 97 + 98 + 1. Review Dependabot security PRs (if auto-created) 99 + 2. Manually update dependencies if needed 100 + 3. Close this issue once all alerts are resolved 101 + 102 + **Automated by:** [Security Alert Check workflow](https://github.com/${{ github.repository }}/actions/workflows/security-alerts.yml) 103 + **View all alerts:** https://github.com/${{ github.repository }}/security/dependabot 104 + " 105 + 106 + # Check if similar issue exists 107 + EXISTING=$(gh issue list \ 108 + --repo "${{ github.repository }}" \ 109 + --label "security,dependabot" \ 110 + --state open \ 111 + --search "Security Alert Summary" \ 112 + --json number \ 113 + --jq '.[0].number // empty') 114 + 115 + if [ -n "$EXISTING" ]; then 116 + echo "Updating existing issue #$EXISTING" 117 + gh issue comment "$EXISTING" \ 118 + --repo "${{ github.repository }}" \ 119 + --body "$(cat <<EOF 120 + ## 🔄 Alert Status Update - $(date +%Y-%m-%d) 121 + 122 + ${BODY} 123 + EOF 124 + )" 125 + else 126 + echo "Creating new issue" 127 + gh issue create \ 128 + --repo "${{ github.repository }}" \ 129 + --title "🔒 Security Alerts - $(date +%Y-%m-%d)" \ 130 + --label "security,dependabot" \ 131 + --body "$BODY" 132 + fi 133 + env: 134 + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}