Add weekly email workflow for Dependabot alerts#2381
Add weekly email workflow for Dependabot alerts#2381asier-isayas wants to merge 1 commit intomasterfrom
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| # Step 1: Checkout the repository code (optional for this task, but typical in workflows) | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v3 | ||
|
|
||
| # Step 2: Fetch Dependabot Alerts via GitHub API | ||
| - name: Fetch Dependabot Alerts | ||
| id: dependabot-alerts | ||
| run: | | ||
| curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | ||
| -H "Accept: application/vnd.github.v3+json" \ | ||
| "https://api.github.com/repos/${{ github.repository }}/dependabot/alerts?state=open" > dependabot_alerts.json | ||
|
|
||
| # Step 3: Format the Dependabot Alerts | ||
| - name: Format Alerts as Email Body | ||
| id: format-alerts | ||
| run: | | ||
| alerts=$(cat dependabot_alerts.json | jq -r '.[] | "* **\(.securityVulnerability.package.name)**: \(.securityVulnerability.severity) severity, CVE-Id: [\(.securityVulnerability.cve)](https://cve.mitre.org/cve/\(.securityVulnerability.cve))\n \(.description)\n"') | ||
| echo "$alerts" > formatted_alerts.txt | ||
|
|
||
| # Step 4: Send the Email via Outlook SMTP (from DL1 to DL1 or DL2) | ||
| - name: Send Email | ||
| uses: dawidd6/action-send-mail@v3 | ||
| with: | ||
| smtp-server: smtp.office365.com | ||
| smtp-port: 587 | ||
| smtp-user: cdbportal@microsoft.com # Use DL1's email address | ||
| from: cdbportal@microsoft.com # The sender is DL1 | ||
| to: "dl1@yourdomain.com" # This is the recipient DL1; can also use another DL (e.g., dl2@yourdomain.com) | ||
| subject: "Weekly Dependabot Vulnerabilities for ${{ github.repository }}" | ||
| body: | | ||
| **Weekly Dependabot Security Alerts** | ||
|
|
||
| Below are the new security vulnerabilities found in your dependencies: | ||
|
|
||
| ${{ steps.format-alerts.outputs.alerts }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 12 days ago
In general, the fix is to explicitly declare a permissions: block for the workflow (or for the send-email job) that limits the GITHUB_TOKEN to the least privileges needed. This workflow only needs to read repository contents and security/dependabot alerts, and it does not modify any GitHub resources.
The best minimal fix without changing functionality is to add a root-level permissions: section (so it applies to all jobs) with contents: read and security-events: read. contents: read matches GitHub’s suggested minimal starting point and is sufficient for most repository reads; security-events: read is appropriate for accessing security/dependabot-related data via the API. No changes are needed to steps, commands, or actions. Concretely, edit .github/workflows/dependabot-weekly-email.yml to insert a permissions: block between the on: section and the jobs: section.
| @@ -4,6 +4,10 @@ | ||
| schedule: | ||
| - cron: '0 0 * * 0' # Triggers the workflow every Sunday at midnight UTC. | ||
|
|
||
| permissions: | ||
| contents: read | ||
| security-events: read | ||
|
|
||
| jobs: | ||
| send-email: | ||
| runs-on: ubuntu-latest |
1 participant
Preview this branch