Send GitHub Dependabot Alerts to Slack

marketing

@kunalnagarco/action-cve

An Open Source GitHub action that sends Dependabot Security Alerts to Slack and PagerDuty.

Source code

Inspiration

GitHub has a webhook event called repository_vulnerability_alert that is triggered when a vulnerability is discovered on a repository/organization. Unfortunately, there’s no documentation (that I could find) to watch for this event in a GitHub action and send it to alerting platforms.

I created this GitHub action that can be run on a CRON schedule (every 6 hours is recommended).

Installation

There are a few things you need to setup on the repository before this action can be used:

  1. Enable Dependabot Alerts for the repository.

  2. Create a GitHub Personal Access Token and add it to the repository’s secrets.

  3. For Slack, you’d want to send these alerts to a dedicated channel. Create a Webhook URL for the channel and add it to the repository’s secrets. You may also use the Incoming Webhooks Slack app that makes it a lot easier.

    Screenshot

    For PagerDuty, the action will send an Alert Event which should create a new Incident with an info severity.

    Screenshot

  4. Create a new GitHub action:

For more documentation, please check out the Wiki.

Support

If you find a bug, please open an issue.