Queries the graphql endpoint of the github API to glean information about
open vulnerabilities on repositories belonging to a user or team.
Updates itself from the github graphql api at startup and then on the schedule
defined by the configured crontab.
Results are available published via the /report endpoint.
nb. Results are transient in memory only and do not persist beyond app restarts, though are re-aquired at each start up.
go 1.11with module support
Supports the following env vars
| ENV | Example | Description |
|---|---|---|
| CRONTAB | 0 6 * * * |
Defines schedule to perform checks |
| TOKEN | ja9c8dd8sdc... |
Github access token for authenticating to the graph API (requires public_repo and read:org permissions) |
| GITHUB_ORG | my-org-name |
Name of the github organisation to which your team belongs |
| GITHUB_TEAM | my-team |
The slug (name or id) of your team |
| GITHUB_USER | myuser |
Username of the user of which to monitor repos |
TOKEN and CRONTAB are always required
If you wish to check repositories for an organisation team then GITHUB_ORG and
GITHUB_TEAM must be set. Otherwise GITHUB_USER must be set instead.
The access token requires the following scopes: read:org, repo, user
Provides the following endpoints
| Endpoint | Method | Returns |
|---|---|---|
/info |
GET | Current health status of the app and last time checking occurred |
/report |
GET | Current vulnerability report as of last time cron ran |
Build with:
GOOS=linux GOARCH=amd64 go build -o ./bin/monitor cmd/monitor/main.goExample manifest to run update at 6am every day:
applications:
- name: github-vuln-monitor
instances: 1
memory: 256M
buildpack: binary_buildpack
command: ./bin/monitor
env:
GITHUB_ORG: <org>
GITHUB_TEAM: <team-name>
TOKEN: <redacted>
CRONTAB: "0 6 * * *"Copyright (c) 2019 Crown Copyright (Office for National Statistics)
Released under MIT license, see LICENSE for details.