Skip to content

An action that filters security alerts related to OWASP Top 10 risks.

License

Notifications You must be signed in to change notification settings

KittyChiu/alerts-to-owasp10

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Repository files navigation

alerts-to-owasp10 Action

Lint CI CodeQL Coverage

This GitHub Action filters GitHub security alerts generated from your GitHub repositories that are related to OWASP Top 10 risks.

Use cases

  • As a security officer, I want to know if my organisation is exposed to OWASP Top 10 risks, so I can trigger incident response to remediate till resolution in production.
  • As an engineering manager, I want to know gaps in application security, so that I can prioritise mentoring and learning in the identified areas.

How does this action work?

This action performs filtering with CWEs in the data sets below. If the filtered list returns more than zero alert, then your repository may expose to the OWASP Top 10 risks.

Data Source Description
CodeQL code scanning alerts API /orgs/{org}/code-scanning/alerts Alerts with state open and have CWE references.
OWASP Top 10 OWASP/Top10, 2021 revision Risks with referenced CWEs

Outputs

When the action is completed, Below outputs are available:

Output Description
mapping.csv A CSV file contains a list of alerts filtered with OWASP Top 10.
alerts.json A JSON file contains an unfiltered list of alerts in the given organisation with status open.

Expand below for an example output of the mapping.csv file:

repo_name,alert_no,risk,cwe_id
webgoat-demo-2,1,A03:2021 – Injection,cwe-079
webgoat-demo-1,10,A03:2021 – Injection,cwe-020
demo-nodegoat,25,A01:2021 – Broken Access Control,cwe-601
demo-nodegoat,26,A02:2021 – Cryptographic Failures,cwe-319
demo-nodegoat,26,A04:2021 – Insecure Design,cwe-311
demo-nodegoat,26,A05:2021 – Security Misconfiguration,cwe-614

Expand below for an example output of the alerts.json file:

{
  "webgoat-demo-2": {
    "1": [
      "cwe-079",
      "cwe-116"
    ],
    "2": [
      "cwe-079",
      "cwe-116"
    ]
},
  "webgoat-demo-3": {
    "24": [
      "cwe-079",
      "cwe-094",
      "cwe-095",
      "cwe-116"
    ],
    "25": [
      "cwe-601"
    ]
}

Configurations

Configuring the action with the following:

Environment Variable Required Default Description
ORGANISATION Yes N/A Name of the organisation.
GITHUB_TOKEN Yes N/A A GitHub token with access to the organisation owner. Minimal scope is security_events.

Basic Usage

To use this action, simply include it in your workflow file:

steps:
  - name: Checkout
    id: checkout
    uses: actions/checkout@v4

  - name: OWASP Top 10
    uses: KittyChiu/alerts-to-owasp10@v0.1.2
    env:
      ORGANISATION: ${{ github.repository_owner }}
      GITHUB_TOKEN: ${{ secrets.ALERTS_TOKEN }}

  - name: Upload Artifact
    id: upload
    uses: actions/upload-artifact@v4
    with:
      name: mapping
      path: mapping.csv

Do fork this action for advanced usage - to customise output format and additional data context. For example, you might want to include alerts that are closed, dismissed, or fixed etc.

License

This project is licensed under the MIT License.

Contributing

See the contributing guidelines for more information.

Support

This action is maintained by codeowners, and supported by the community. To start, open an issue in this repository and assign a label.

Acknowledgement

  • The copy of OWASP Top 10 CWE data in this repository originated from OWASP/Top10 repo.

About

An action that filters security alerts related to OWASP Top 10 risks.

Topics

Resources

License

Stars

Watchers

Forks