diff --git a/.github/workflows/appinspect_cli.yml b/.github/workflows/appinspect_cli.yml
index 23eda4d..4ed053d 100644
--- a/.github/workflows/appinspect_cli.yml
+++ b/.github/workflows/appinspect_cli.yml
@@ -20,6 +20,14 @@ jobs:
steps:
- uses: actions/checkout@v2
+ - name: Set up Python 3.x
+ uses: actions/setup-python@v4
+ with:
+ # Semantic version range syntax or exact version of a Python version
+ python-version: '3.9'
+ # Optional - x64 or x86 architecture, defaults to x64
+ architecture: 'x64'
+
- name: Install deps
uses: CultureHQ/actions-yarn@master
with:
@@ -52,7 +60,7 @@ jobs:
slim package ./github_app_for_splunk
- name: Run App Inspect CLI
- uses: splunk/appinspect-cli-action@v1
+ uses: splunk/appinspect-cli-action@v1.5
with:
app_path: github_app_for_splunk-1.0.0.tar.gz
included_tags: cloud, splunk_appinspect
@@ -62,5 +70,3 @@ jobs:
with:
name: github_app_for_splunk-1.0.0.tar.gz
path: ./github_app_for_splunk-1.0.0.tar.gz
-
-
diff --git a/github_app_for_splunk/default/props.conf b/github_app_for_splunk/default/props.conf
index 5b492c2..8b79c0e 100644
--- a/github_app_for_splunk/default/props.conf
+++ b/github_app_for_splunk/default/props.conf
@@ -55,7 +55,8 @@ EVAL-asset_uploader_login = if(isnotnull('release.assets{}.uploader.login'), 're
EVAL-assigned_reviewers = if(isnotnull('pull_request.requested_reviewers{}.login'), 'pull_request.requested_reviewers{}.login', null())
EVAL-assigned_user = if(isnotnull('issue.assignee.login'), 'issue.assignee.login', 'assignee.login')
EVAL-branch = if(('ref_type'=="branch" AND 'ref'!=""), 'ref', if(isnotnull('commit_branch'), 'ref', null()))
-EVAL-category = if(isnotnull(alert_description), "code", if(isnotnull(affected_package_name), "dependency", ""))
+EVAL-body = "Secrete Leakage: ".'alert.secret_type'
+EVAL-category = if(isnotnull(alert_description), "code", if(isnotnull(affected_package_name), "dependency", if(isnotnull(secret_type), "secret", "")))
EVAL-closed_date = if(isnotnull('issue.closed_at'), 'issue.closed_at', null())
EVAL-commit_branch = if((isnull('commit_branch') AND isnotnull('pull_request.head.ref') AND ('eventtype'=="GitHub::PullRequest" OR 'eventtype'=="GitHub::PullRequest::Review")), 'pull_request.head.ref', if((isnull('commit_branch') AND isnotnull('pull_request.base.ref') AND ('eventtype'=="GitHub::PullRequest" OR 'eventtype'=="GitHub::PullRequest::Review")), 'pull_request.base.ref', if((isnull('commit_branch') AND isnotnull('ref')), 'ref', 'commit_branch')))
EVAL-commit_files_added = if(isnotnull('commits{}.added{}'), 'commits{}.added{}', null())
@@ -71,6 +72,7 @@ EVAL-commits_message_list = if(isnotnull('commits{}.message'), 'commits{}.messag
EVAL-commits_timestamp_list = if(isnotnull('commits{}.timestamp'), 'commits{}.timestamp', null())
EVAL-current_priority = if('issue.labels{}.name' like "Priority%", mvfilter(match('issue.labels{}.name', "[pP]riority:\sLow|[pP]riority:\sHigh|[pP]riority:\sMedium")), null())
EVAL-current_push = if(isnotnull('after'), 'after', null())
+EVAL-description = "Secrete Leakage: ".'alert.secret_type'
EVAL-dvc = replace(host, ":\d+", "")
EVAL-earliest_commit_author_user = if(isnotnull(mvindex('commits{}.author.username', 0)), mvindex('commits{}.author.username', 0) , null())
EVAL-earliest_commit_date = if((isnotnull('commits{}.id') AND isnull('commit_timestamp')), 'head_commit.timestamp', if((isnotnull('commits{}.id') AND isnotnull('commit_timestamp')), 'commit_timestamp', ""))
@@ -79,6 +81,7 @@ EVAL-earliest_commit_message = if(isnotnull(mvindex('commits{}.message', 0)), mv
EVAL-files_added = if(isnotnull('commits{}.added{}'), 'commits{}.added{}', null())
EVAL-files_modified = if(isnotnull('commits{}.modified{}'), 'commits{}.modified{}', null())
EVAL-files_removed = if(isnotnull('commits{}.removed{}' ), 'commits{}.removed{}' , null())
+EVAL-id = organization."/".repository_name."/".'alert.number'
EVAL-issue_assignees = if('issue.assignees{}.login'!="", 'issue.assignees{}.login', null)
EVAL-issue_assigned_date = if("issue.updated_at"!="" AND action="assigned", 'issue.updated_at', null())
EVAL-issue_description = if(isnotnull('issue.body'), 'issue.body', null())
@@ -117,7 +120,8 @@ EVAL-repository_organization = if(isnotnull('organization.login'), 'organization
EVAL-result = "success"
EVAL-review_author_login = if(isnotnull('review.user.login'), 'review.user.login', null())
EVAL-review_state = if(isnotnull('review.state'), 'review.state', null())
-EVAL-severity_id = CASE(severity=="critical",4, severity_level=="critical",4, severity=="high",3, severity_level=="high",3, severity=="moderate",2,severity_level=="moderate", 2, true==true, 1)
+EVAL-severity = if(isnotnull(secret_type),"critical","")
+EVAL-severity_id = CASE(severity=="critical",4, severity_level=="critical",4, severity=="high",3, severity_level=="high",3, severity=="moderate",2,severity_level=="moderate", 2, isnotnull(secret_type),4, true=true, 1)
EVAL-signature = CASE(isnull(alert_description), UPPER(severity) + " Dependency Vulnerability on package " + affected_package_name, 1=1, alert_description)
EVAL-status_update_date = if(('action'!="" AND isnotnull('issue.updated_at')), 'issue.updated_at', null())
EVAL-status_current = if(action=="deleted", "deleted", 'issue.state')
@@ -128,6 +132,7 @@ EVAL-xref = if(isnotnull(affected_package_name), affected_package_name, alert_lo
# Field Aliases
FIELDALIAS-dependabot = "alert.affected_package_name" AS affected_package_name "alert.external_identifier" AS cve "alert.external_reference" AS url "alert.most_recent_instance.location.path" AS alert_location_path "alert.rule.description" AS alert_description "alert.rule.security_severity_level" AS severity_level "alert.severity" AS severity eventtype AS vendor_product "repository.owner.login" AS user
FIELDALIAS-RepoAlias = "organization.login" ASNEW organization "repository.name" ASNEW repository_name
+FIELDALIAS-secret = "alert.html_url" AS url "alert.secret_type" AS secret_type "repository.owner.login" AS user
FIELDALIAS-user = actor AS user
FIELDALIAS-workflow_changes = action ASNEW command actor_ip ASNEW src document_id ASNEW object_id pull_request_url ASNEW object_path "workflow_run.event" ASNEW command "workflow_run.head_branch" ASNEW branch "workflow_run.head_commit.author.name" ASNEW user "workflow_run.head_repository.full_name" ASNEW repository
# Field Extractions
diff --git a/github_app_for_splunk/default/tags.conf b/github_app_for_splunk/default/tags.conf
index 85417e1..b4a35e8 100644
--- a/github_app_for_splunk/default/tags.conf
+++ b/github_app_for_splunk/default/tags.conf
@@ -46,6 +46,12 @@ code = enabled
release = enabled
github = enabled
+[eventtype=GitHub%3A%3ASecretScanning]
+report = enabled
+secret = enabled
+alert = disabled
+vulnerability = enabled
+
[eventtype=github%3Aenterprise%3Aauthentication]
authentication = enabled
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy