This project exports GitHub code scanning, secret scanning, and dependabot security alerts to multiple formats.
Create a workflow (eg: .github/workflows/security-export.yml). See Creating a Workflow file.
You will need to create a PAT(Personal Access Token) that has the appropriate scope.
Add this PAT as a secret so we can use it as input github-token, see Creating encrypted secrets for a repository.
If your organization has SAML enabled you must authorize the PAT, see Authorizing a personal access token for use with SAML single sign-on.
You can pass enterprise, organization, or repository to scope the export.
name: Export Security Alerts on: workflow_dispatch: jobs: run: name: Export runs-on: ubuntu-latest steps: - uses: austenstone/security-export@main id: export with: github-token: ${{ secrets.PAT }} organization: octodemo - run: | echo "$DEPENDABOT" echo "$CODE_SCANNING" echo "$SECRET_SCANNING" env: DEPENDABOT: ${{ steps.export.outputs.dependabot }} CODE_SCANNING: ${{ steps.export.outputs.code-scanning }} SECRET_SCANNING: ${{ steps.export.outputs.secret-scanning }}You can export to CSV using the austenstone/json-to-csv action.
Note
The output of this action might exceed the maximum size of inputs/outputs. In that case leverage the generated artifact as shown in the example.
name: Export Security Alerts on: workflow_dispatch: jobs: run: name: Export runs-on: ubuntu-latest steps: - uses: austenstone/security-export@main id: export with: github-token: ${{ secrets.PAT }} repository: octodemo/vulnerable-node - uses: austenstone/json-to-csv@main with: json-artifact-name: ${{ steps.export.outputs.artifact-name }} create-artifact: true artifact-name: "GitHub Security Alerts CSV" code-scanning-query-parameters: '{ "severity": "critical", "state": "open" }' secret-scanning-query-parameters: '{ "state": "open" }' dependabot-query-parameters: '{ "severity": "critical", "state": "open" }'We create an artifact by default, you can disable this by setting create-artifact to false. Modify the artifact-name to change the name of the artifact.
create-artifact: true artifact-name: "GitHub Security Alerts"Access the artifact via the output variable ${{ steps[*].export.outputs.artifact-name }}.
Various inputs are defined in action.yml:
| Name | Description | Default |
|---|---|---|
| github‑token | Token to use to authorize. | ${{ github.token }} |
| enterprise | The GitHub Enterprise | N/A |
| organization | The GitHub organization | N/A |
| repository | The GitHub repository | ${{ github.repository }} |
| code-scanning | Whether to export code scanning alerts | true |
| code-scanning-query-parameters | Query parameters as JSON Ex: {"state": dismissed} | N/A |
| secret-scanning | Whether to export secret scanning alerts | true |
| secret-scanning-query-parameters | Query parameters as JSON | N/A |
| dependabot | Whether to export dependabot alerts | true |
| dependabot-query-parameters | Query parameters as JSON Ex: {"state": dismissed} | N/A |
| create-artifact | Whether to create an artifact | true |
| Name | Description |
|---|---|
| dependabot | Dependabot alerts as a JSON string |
| code-scanning | Code scanning alerts as a JSON string |
| secret-scanning | Secret scanning alerts as a JSON string |
| artifact-name | The name of the artifact |
To get more help on the Actions see documentation.