Security Hub Jira Sync #598
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Security Hub Jira Sync | |
on: | |
schedule: | |
- cron: "0 14-23/2 * * *" | |
workflow_dispatch: | |
jobs: | |
security-hub-jira-sync: | |
name: Security Hub Jira Sync | |
runs-on: ubuntu-20.04 | |
permissions: | |
id-token: write | |
contents: read | |
# This workflow should only run from one project per AWS account. | |
# In other words, if you have many repos deploying to the same AWS account, | |
# only one of those repos should have this workflow activated. | |
# It's not dangerous if more than one have it active, it's just not ideal. | |
# This flag forces a user to explicitly enable it, allowing consumers of this | |
# template to decide if they should enable it or not. | |
# To set this flag, make a repository variable entitled ENABLE_SECURITY_HUB_SYNC | |
# and give it any value. It's existence is the flag. | |
if: ${{ vars.ENABLE_SECURITY_HUB_SYNC }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- uses: ./.github/actions/setup | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v2 | |
with: | |
role-to-assume: ${{ secrets.AWS_OIDC_ROLE_TO_ASSUME }} | |
aws-region: us-east-1 | |
role-duration-seconds: 10800 | |
- name: Invoke Security Hub Jira Sync | |
id: jiraUpdates | |
env: | |
JIRA_HOST: qmacbis.atlassian.net | |
JIRA_PROJECT: OY2 | |
JIRA_USERNAME: ${{ secrets.JIRA_USERNAME }} | |
JIRA_TOKEN: ${{ secrets.JIRA_TOKEN }} | |
run: | | |
jiraUpdates=$(run securityHubJiraSync) | |
jiraUpdatesFormatted=$(echo "$jiraUpdates" | jq -r '.[] | "\(.action) - <\(.webUrl)|\(.summary)>"' | tr '\n' '\r') | |
echo "jiraUpdates=$jiraUpdatesFormatted" >> $GITHUB_ENV | |
- name: Slack Notification - notify of Security Hub Jira issues updates | |
uses: rtCamp/action-slack-notify@v2 | |
if: env.SLACK_WEBHOOK != '' && env.jiraUpdates != '' | |
env: | |
SLACK_MSG_AUTHOR: ${{ github.repository }} | |
SLACK_COLOR: ${{ job.status }} | |
SLACK_ICON: https://github.com/${{ github.repository_owner }}.png?size=48 | |
SLACK_TITLE: Security Hub Jira Sync | |
SLACK_MESSAGE: ${{ env.jiraUpdates }} | |
SLACK_USERNAME: ${{ github.repository }} - ${{ github.workflow }} | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
MSG_MINIMAL: true | |
- name: Slack Notification - notify of failure reporting on Security Hub Jira issues updates | |
uses: rtCamp/action-slack-notify@v2 | |
if: env.SLACK_WEBHOOK != '' && failure() | |
env: | |
SLACK_MSG_AUTHOR: ${{ github.repository }} | |
SLACK_COLOR: ${{ job.status }} | |
SLACK_ICON: https://github.com/${{ github.repository_owner }}.png?size=48 | |
SLACK_TITLE: Failure reporting on Security Hub Jira Sync | |
SLACK_MESSAGE: Failure reporting on Security Hub Jira Sync | |
SLACK_USERNAME: ${{ github.repository }} - ${{ github.workflow }} | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
MSG_MINIMAL: true |