Skip to content

feat: implemented security-monitoring to send metrics to CW #1510 #4821

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Aug 7, 2024
Merged

feat: implemented security-monitoring to send metrics to CW #1510 #4821

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a949702
added security-monitoring
mohamedzeidan2021 Aug 6, 2024
602745e
changed role name
mohamedzeidan2021 Aug 6, 2024
ed1228d
all metrics under same namespace
mohamedzeidan2021 Aug 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
122 changes: 122 additions & 0 deletions .github/workflows/security-monitoring.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
name: Security Monitoring

on:
schedule:
- cron: '0 9 * * *'

concurrency:
group: ${{ github.workflow }}-${{ github.run_id }}
cancel-in-progress: true

permissions:
id-token: write

jobs:
check-code-scanning-alerts:
runs-on: ubuntu-latest
outputs:
code_scanning_alert_status: ${{ steps.check-code-scanning-alerts.outputs.code_scanning_alert_status }}
steps:
- name: Check for security alerts
id: check-code-scanning-alerts
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
with:
github-token: ${{ secrets.GH_PAT }}
script: |
async function checkAlerts() {
const owner = '${{ github.repository_owner }}';
const repo = '${{ github.event.repository.name }}';
const ref = 'refs/heads/master';

const codeScanningAlerts = await github.rest.codeScanning.listAlertsForRepo({
owner,
repo,
ref: ref
});
const activeCodeScanningAlerts = codeScanningAlerts.data.filter(alert => alert.state === 'open');
core.setOutput('code_scanning_alert_status', activeCodeScanningAlerts.length > 0 ? '1': '0');
}
await checkAlerts();

check-dependabot-alerts:
runs-on: ubuntu-latest
outputs:
dependabot_alert_status: ${{ steps.check-dependabot-alerts.outputs.dependabot_alert_status }}
steps:
- name: Check for dependabot alerts
id: check-dependabot-alerts
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
with:
github-token: ${{ secrets.GH_PAT }}
script: |
async function checkAlerts() {
const owner = '${{ github.repository_owner }}';
const repo = '${{ github.event.repository.name }}';

const dependabotAlerts = await github.rest.dependabot.listAlertsForRepo({
owner,
repo,
headers: {
'accept': 'applications/vnd.github+json'
}
});
const activeDependabotAlerts = dependabotAlerts.data.filter(alert => alert.state === 'open');
core.setOutput('dependabot_alert_status', activeDependabotAlerts.length > 0 ? '1': '0');
}
await checkAlerts();

check-secret-scanning-alerts:
runs-on: ubuntu-latest
outputs:
secret_scanning_alert_status: ${{ steps.check-secret-scanning-alerts.outputs.secret_scanning_alert_status }}
steps:
- name: Check for secret scanning alerts
id: check-secret-scanning-alerts
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
with:
github-token: ${{ secrets.GH_PAT }}
script: |
async function checkAlerts() {
const owner = '${{ github.repository_owner }}';
const repo = '${{ github.event.repository.name }}';

const secretScanningAlerts = await github.rest.secretScanning.listAlertsForRepo({
owner,
repo,
});
const activeSecretScanningAlerts = secretScanningAlerts.data.filter(alert => alert.state === 'open');
core.setOutput('secret_scanning_alert_status', activeSecretScanningAlerts.length > 0 ? '1': '0');
console.log("Active Secret Scanning Alerts", activeSecretScanningAlerts);
}
await checkAlerts();

put-metric-data:
runs-on: ubuntu-latest
needs: [check-code-scanning-alerts, check-dependabot-alerts, check-secret-scanning-alerts]
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@12e3392609eaaceb7ae6191b3f54bbcb85b5002b
with:
role-to-assume: ${{ secrets.MONITORING_ROLE_ARN }}
aws-region: us-west-2
- name: Put Code Scanning Alert Metric Data
run: |
if [ "${{ needs.check-code-scanning-alerts.outputs.code_scanning_alert_status }}" == "1" ]; then
aws cloudwatch put-metric-data --metric-name CodeScanningAlert --namespace CodeScanningMonitoringMetrics --value 1 --unit Count --dimensions ProjectName=sagemaker-python-sdk
else
aws cloudwatch put-metric-data --metric-name CodeScanningAlert --namespace CodeScanningMonitoringMetrics --value 0 --unit Count --dimensions ProjectName=sagemaker-python-sdk
fi
- name: Put Dependabot Alert Metric Data
run: |
if [ "${{ needs.check-dependabot-alerts.outputs.dependabot_alert_status }}" == "1" ]; then
aws cloudwatch put-metric-data --metric-name DependabotAlert --namespace DependabotMonitoringMetrics --value 1 --unit Count --dimensions ProjectName=sagemaker-python-sdk
else
aws cloudwatch put-metric-data --metric-name DependabotAlert --namespace DependabotMonitoringMetrics --value 0 --unit Count --dimensions ProjectName=sagemaker-python-sdk
fi
- name: Put Secret Scanning Alert Metric Data
run: |
if [ "${{ needs.check-secret-scanning-alerts.outputs.secret_scanning_alert_status }}" == "1" ]; then
aws cloudwatch put-metric-data --metric-name SecretScanningAlert --namespace SecretScanningMonitoringMetrics --value 1 --unit Count --dimensions ProjectName=sagemaker-python-sdk
else
aws cloudwatch put-metric-data --metric-name SecretScanningAlert --namespace SecretScanningMonitoringMetrics --value 0 --unit Count --dimensions ProjectName=sagemaker-python-sdk
fi