Queries the graphql
endpoint of the github API to glean information about
open vulnerabilities on repositories belonging to a user or team.
Updates itself from the github graphql api at startup and then on the schedule
defined by the configured crontab
.
Results are available published via the /report
endpoint.
nb. Results are transient in memory only and do not persist beyond app restarts, though are re-aquired at each start up.
go 1.11
with module support
Supports the following env vars
ENV | Example | Description |
---|---|---|
CRONTAB | 0 6 * * * |
Defines schedule to perform checks |
TOKEN | ja9c8dd8sdc... |
Github access token for authenticating to the graph API (requires public_repo and read:org permissions) |
GITHUB_ORG | my-org-name |
Name of the github organisation to which your team belongs |
GITHUB_TEAM | my-team |
The slug (name or id) of your team |
GITHUB_USER | myuser |
Username of the user of which to monitor repos |
TOKEN
and CRONTAB
are always required
If you wish to check repositories for an organisation team then GITHUB_ORG
and
GITHUB_TEAM
must be set. Otherwise GITHUB_USER
must be set instead.
The access token requires the following scopes: read:org
, repo
, user
Provides the following endpoints
Endpoint | Method | Returns |
---|---|---|
/info |
GET | Current health status of the app and last time checking occurred |
/report |
GET | Current vulnerability report as of last time cron ran |
Build with:
GOOS=linux GOARCH=amd64 go build -o ./bin/monitor cmd/monitor/main.go
Example manifest to run update at 6am every day:
applications:
- name: github-vuln-monitor
instances: 1
memory: 256M
buildpack: binary_buildpack
command: ./bin/monitor
env:
GITHUB_ORG: <org>
GITHUB_TEAM: <team-name>
TOKEN: <redacted>
CRONTAB: "0 6 * * *"
Copyright (c) 2019 Crown Copyright (Office for National Statistics)
Released under MIT license, see LICENSE for details.