slack-github-secret-scanning-integration/action.yml

name: "Slack - GitHub Secret Scanning Alerts Integration"
description: "A GitHub Action to get alerts from GitHub secret scanning and send them to Slack"
inputs:
  github-token:
    description: "GitHub token with access to secret scanning"
    required: true
  slack-webhook-url:
    description: "Incoming Slack webhook url for channel that you want to send alerts to"
    required: true
  frequency:
    description: "Get secret scanning alerts that have occurred in this period prior to this action running"
    required: false
    default: 24
runs:
  using: "composite"
  steps:
      - name: Secret Scanning Alerts
        id: secret-scanning
        uses: advanced-security/secret-scanning-notifications@v1
        with:
          token: ${{ inputs.github-token}}
          frequency: ${{ inputs.frequency }}
          scope: 'repository'
          new_alerts_filepath: 'new_alerts.json'
          closed_alerts_filepath: 'closed_alerts.json'

      - name: Check number of new alerts
        shell: bash
        id: get-new-alerts
        run: echo "new_alerts=$(jq 'length' new_alerts.json)" >> "$GITHUB_OUTPUT"

      - name: Convert json to plaintext
        shell: bash
        if: ${{ steps.get-new-alerts.outputs.new_alerts > 0}}
        id: json-to-plaintext
        run: |
          echo "new-alerts=$(jq -r '.[] | "- \(.secret_type_display_name): \(.html_url)"' new_alerts.json)" >> "$GITHUB_OUTPUT"

      - name: Send notification to Slack
        id: slack
        if: ${{ steps.json-to-plaintext.outcome == 'success' }}
        uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 #v1.24.0
        with:
          payload: |
            {
                "text": "New GitHub Secret Scanning Alerts Detected:\n\n${{ steps.json-to-plaintext.outputs.new-alerts }}"
            }
        env:
          SLACK_WEBHOOK_URL: ${{ inputs.slack-webhook-url }}
          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

      - name: Report failure to Slack
        if: always()
        uses: ravsamhq/notify-slack-action@472601e839b758e36c455b5d3e5e1a217d4807bd # 2.5.0
        with:
          status: ${{ job.status }}
          notify_when: "failure"
          notification_title: "Failed to send secret scanning alerts to Slack"
        env:
          SLACK_WEBHOOK_URL: ${{ inputs.slack-webhook-url }}