Skip to content

Commit b5aa829

Browse files
Copilotfelickz
Copilot
and
felickz
committed
Add SECRET_TYPE_FILTER support for secret scanning alerts
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
1 parent d999243 commit b5aa829

File tree

3 files changed

+17
-6
lines changed

3 files changed

+17
-6
lines changed

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,7 @@ The list of all available options that can be set as environmental variables is
7777
- `GITHUB_REPORT_SCOPE`: The scope of the report to generate. Valid values are `repository` (default), `organization` or `enterprise`.
7878
- `SCOPE_NAME` or `GITHUB_REPOSITORY`: The name of the repository, organization or enterprise to generate the report for. If `SCOPE_NAME` is not set, the value of `GITHUB_REPOSITORY` is used if it is set. If neither is set, an error occurs.
7979
- `FEATURES`: A comma-separated list of features to include in the report. Valid values are `codescanning`, `secretscanning`, `dependabot` or simply `all`. Default value: `all`.
80+
- `SECRET_TYPE_FILTER`: A comma-separated list of secret types to filter secret scanning alerts. For example: `password,api_key,oauth_token`. If not set, all secret types are included.
8081

8182
The first two are only needed if you're running this in a GitHub Enterprise Server or GitHub AE environment. The last one is useful if you only want to get data on a specific feature. For example, if you only want to get data on secret scanning, you can set `FEATURES` to `secretscanning`. Here's just another example how you would configure this on a GitHub Enterprise Server:
8283

main.py

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@
3434
report_scope = os.getenv("GITHUB_REPORT_SCOPE", "repository")
3535
scope_name = os.getenv("SCOPE_NAME", os.getenv("GITHUB_REPOSITORY"))
3636
requested_features = os.getenv("FEATURES")
37+
secret_type_filter = os.getenv("SECRET_TYPE_FILTER")
3738
if (requested_features is None) or (requested_features == "all"):
3839
features = FEATURES
3940
else:
@@ -52,7 +53,7 @@
5253
# secret scanning
5354
if "secretscanning" in features:
5455
try:
55-
secrets_list = secret_scanning.get_enterprise_ss_alerts(api_endpoint, github_pat, scope_name)
56+
secrets_list = secret_scanning.get_enterprise_ss_alerts(api_endpoint, github_pat, scope_name, secret_type_filter)
5657
secret_scanning.write_enterprise_ss_list(secrets_list)
5758
except Exception as e:
5859
if any(x in str(e).lower() for x in secret_scanning_disabled_strings):
@@ -104,7 +105,7 @@
104105
# secret scanning
105106
if "secretscanning" in features:
106107
try:
107-
secrets_list = secret_scanning.get_org_ss_alerts(api_endpoint, github_pat, scope_name)
108+
secrets_list = secret_scanning.get_org_ss_alerts(api_endpoint, github_pat, scope_name, secret_type_filter)
108109
secret_scanning.write_org_ss_list(secrets_list)
109110
except Exception as e:
110111
if any(x in str(e).lower() for x in secret_scanning_disabled_strings):
@@ -132,7 +133,7 @@
132133
# secret scanning
133134
if "secretscanning" in features:
134135
try:
135-
secrets_list = secret_scanning.get_repo_ss_alerts(api_endpoint, github_pat, scope_name)
136+
secrets_list = secret_scanning.get_repo_ss_alerts(api_endpoint, github_pat, scope_name, secret_type_filter)
136137
secret_scanning.write_repo_ss_list(secrets_list)
137138
except Exception as e:
138139
if any(x in str(e).lower() for x in secret_scanning_disabled_strings):

src/secret_scanning.py

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,19 +5,22 @@
55
from . import api_helpers
66

77

8-
def get_repo_ss_alerts(api_endpoint, github_pat, repo_name):
8+
def get_repo_ss_alerts(api_endpoint, github_pat, repo_name, secret_type_filter=None):
99
"""
1010
Get all the secret scanning alerts on a given repository.
1111
1212
Inputs:
1313
- API endpoint (for GHES/GHAE compatibility)
1414
- PAT of appropriate scope
1515
- Repository name
16+
- Secret type filter (optional comma-separated list of secret types)
1617
1718
Outputs:
1819
- List of _all_ secret scanning alerts on the repository
1920
"""
2021
url = f"{api_endpoint}/repos/{repo_name}/secret-scanning/alerts?per_page=100&page=1"
22+
if secret_type_filter:
23+
url += f"&secret_type={secret_type_filter}"
2124
ss_alerts = api_helpers.make_api_call(url, github_pat)
2225
print(f"Found {len(ss_alerts)} secret scanning alerts in {repo_name}")
2326
return ss_alerts
@@ -69,19 +72,22 @@ def write_repo_ss_list(secrets_list):
6972
)
7073

7174

72-
def get_org_ss_alerts(api_endpoint, github_pat, org_name):
75+
def get_org_ss_alerts(api_endpoint, github_pat, org_name, secret_type_filter=None):
7376
"""
7477
Get all the secret scanning alerts on a given organization.
7578
7679
Inputs:
7780
- API endpoint (for GHES/GHAE compatibility)
7881
- PAT of appropriate scope
7982
- Organization name
83+
- Secret type filter (optional comma-separated list of secret types)
8084
8185
Outputs:
8286
- List of _all_ secret scanning alerts on the organization
8387
"""
8488
url = f"{api_endpoint}/orgs/{org_name}/secret-scanning/alerts?per_page=100&page=1"
89+
if secret_type_filter:
90+
url += f"&secret_type={secret_type_filter}"
8591
ss_alerts = api_helpers.make_api_call(url, github_pat)
8692
print(f"Found {len(ss_alerts)} secret scanning alerts in {org_name}")
8793
return ss_alerts
@@ -147,7 +153,7 @@ def write_org_ss_list(secrets_list):
147153
)
148154

149155

150-
def get_enterprise_ss_alerts(api_endpoint, github_pat, enterprise_slug):
156+
def get_enterprise_ss_alerts(api_endpoint, github_pat, enterprise_slug, secret_type_filter=None):
151157
"""
152158
Get all the secret scanning alerts on a given enterprise.
153159
@@ -156,11 +162,14 @@ def get_enterprise_ss_alerts(api_endpoint, github_pat, enterprise_slug):
156162
- PAT of appropriate scope
157163
- Enterprise slug (enterprise name URL, documented below)
158164
- https://docs.github.com/en/rest/reference/enterprise-admin
165+
- Secret type filter (optional comma-separated list of secret types)
159166
160167
Outputs:
161168
- List of _all_ secret scanning alerts on the enterprise
162169
"""
163170
url = f"{api_endpoint}/enterprises/{enterprise_slug}/secret-scanning/alerts?per_page=100&page=1"
171+
if secret_type_filter:
172+
url += f"&secret_type={secret_type_filter}"
164173
ss_alerts = api_helpers.make_api_call(url, github_pat)
165174
print(f"Found {len(ss_alerts)} secret scanning alerts in {enterprise_slug}")
166175
return ss_alerts

0 commit comments

Comments
 (0)