Merge pull request #144 from pangaeatech/flag-security-alerts

Flag security alerts and pass versions through
dependabot · Feb 22, 2022 · e35f7ed · e35f7ed
2 parents 2354b3f + b7b7f7f
commit e35f7ed
Show file tree

Hide file tree

Showing 12 changed files with 460 additions and 91 deletions.
diff --git a/README.md b/README.md
@@ -25,8 +25,17 @@ jobs:
       uses: dependabot/fetch-metadata@v1.1.1
       with:
         github-token: "${{ secrets.GITHUB_TOKEN }}"
+        alert-lookup: true
 ```
 
+Supported inputs are:
+
+- `github-token` (REQUIRED string)
+  - The `GITHUB_TOKEN` secret
+- `alert-lookup` (boolean)
+  - If `true`, then call populate the `alert-state`, `ghsa-id` and `cvss` outputs.
+  - Defaults to `false`
+
 Subsequent actions will have access to the following outputs:
 
 - `steps.dependabot-metadata.outputs.dependency-names`
@@ -43,6 +52,16 @@ Subsequent actions will have access to the following outputs:
   - The `package-ecosystem` configuration that was used by dependabot for this updated Dependency.
 - `steps.dependabot-metadata.outputs.target-branch`
   - The `target-branch` configuration that was used by dependabot for this updated Dependency.
+- `steps.dependabot-metadata.outputs.previous-version`
+  - The version that this PR updates the dependency from.
+- `steps.dependabot-metadata.outputs.new-version`
+  - The version that this PR updates the dependency to.
+- `steps.dependabot-metadata.outputs.alert-state`
+  - If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the current state of that alert (OPEN, FIXED or DISMISSED).
+- `steps.dependabot-metadata.outputs.ghsa-id`
+  - If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the GHSA-ID of that alert.
+- `steps.dependabot-metadata.outputs.cvss`
+  - If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the CVSS value of that alert (otherwise it contains 0).
 
 **Note:** These outputs will only be populated if the target Pull Request was opened by Dependabot and contains
 **only** Dependabot-created commits.

diff --git a/action.yml b/action.yml
@@ -4,6 +4,9 @@ branding:
   icon: 'search'
   color: 'blue'
 inputs:
+  alert-lookup:
+    type: boolean
+    description: 'If true, then call populate the `alert-state`, `ghsa-id` and `cvss` outputs'
   github-token:
     description: 'The GITHUB_TOKEN secret'
     required: true
@@ -22,6 +25,16 @@ outputs:
     description: 'The `package-ecosystem` configuration that was used by dependabot for this updated Dependency.'
   target-branch:
     description: 'The `target-branch` configuration that was used by dependabot for this updated Dependency.'
+  previous-version:
+    description: 'The version that this PR updates the dependency from.'
+  new-version:
+    description: 'The version that this PR updates the dependency to.'
+  alert-state:
+    description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the current state of that alert (OPEN, FIXED or DISMISSED).'
+  ghsa-id:
+    description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the GHSA-ID of that alert.'
+  cvss:
+    description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the CVSS value of that alert (otherwise it contains 0).'
 runs:
   using: 'node12'
   main: 'dist/index.js'
diff --git a/dist/index.js b/dist/index.js