From bd3437d70937696c88d9fd6d25d4262656ea4e23 Mon Sep 17 00:00:00 2001
From: Doug Erkkila <derkkila@users.noreply.github.com>
Date: Mon, 9 Jan 2023 10:46:48 -0500
Subject: [PATCH 1/6] Update props.conf

Added new entries to props.conf to include fields for Secret Scanning DM.
---
 github_app_for_splunk/default/props.conf | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/github_app_for_splunk/default/props.conf b/github_app_for_splunk/default/props.conf
index 5b492c2..8b79c0e 100644
--- a/github_app_for_splunk/default/props.conf
+++ b/github_app_for_splunk/default/props.conf
@@ -55,7 +55,8 @@ EVAL-asset_uploader_login = if(isnotnull('release.assets{}.uploader.login'), 're
 EVAL-assigned_reviewers = if(isnotnull('pull_request.requested_reviewers{}.login'), 'pull_request.requested_reviewers{}.login', null())
 EVAL-assigned_user = if(isnotnull('issue.assignee.login'), 'issue.assignee.login', 'assignee.login')
 EVAL-branch = if(('ref_type'=="branch" AND 'ref'!=""), 'ref', if(isnotnull('commit_branch'), 'ref', null()))
-EVAL-category = if(isnotnull(alert_description), "code", if(isnotnull(affected_package_name), "dependency", ""))
+EVAL-body = "Secrete Leakage: ".'alert.secret_type'
+EVAL-category = if(isnotnull(alert_description), "code", if(isnotnull(affected_package_name), "dependency",  if(isnotnull(secret_type), "secret", "")))
 EVAL-closed_date = if(isnotnull('issue.closed_at'), 'issue.closed_at', null())
 EVAL-commit_branch = if((isnull('commit_branch') AND isnotnull('pull_request.head.ref') AND ('eventtype'=="GitHub::PullRequest" OR 'eventtype'=="GitHub::PullRequest::Review")), 'pull_request.head.ref', if((isnull('commit_branch') AND isnotnull('pull_request.base.ref') AND ('eventtype'=="GitHub::PullRequest" OR 'eventtype'=="GitHub::PullRequest::Review")), 'pull_request.base.ref', if((isnull('commit_branch') AND isnotnull('ref')), 'ref', 'commit_branch')))
 EVAL-commit_files_added = if(isnotnull('commits{}.added{}'), 'commits{}.added{}', null())
@@ -71,6 +72,7 @@ EVAL-commits_message_list = if(isnotnull('commits{}.message'), 'commits{}.messag
 EVAL-commits_timestamp_list = if(isnotnull('commits{}.timestamp'), 'commits{}.timestamp', null())
 EVAL-current_priority = if('issue.labels{}.name' like "Priority%", mvfilter(match('issue.labels{}.name', "[pP]riority:\sLow|[pP]riority:\sHigh|[pP]riority:\sMedium")), null())
 EVAL-current_push = if(isnotnull('after'), 'after', null())
+EVAL-description = "Secrete Leakage: ".'alert.secret_type'
 EVAL-dvc = replace(host, ":\d+", "")
 EVAL-earliest_commit_author_user = if(isnotnull(mvindex('commits{}.author.username', 0)), mvindex('commits{}.author.username', 0) , null())
 EVAL-earliest_commit_date = if((isnotnull('commits{}.id') AND isnull('commit_timestamp')), 'head_commit.timestamp', if((isnotnull('commits{}.id') AND isnotnull('commit_timestamp')), 'commit_timestamp', ""))
@@ -79,6 +81,7 @@ EVAL-earliest_commit_message = if(isnotnull(mvindex('commits{}.message', 0)), mv
 EVAL-files_added = if(isnotnull('commits{}.added{}'), 'commits{}.added{}', null())
 EVAL-files_modified = if(isnotnull('commits{}.modified{}'), 'commits{}.modified{}', null())
 EVAL-files_removed = if(isnotnull('commits{}.removed{}' ), 'commits{}.removed{}' , null())
+EVAL-id = organization."/".repository_name."/".'alert.number'
 EVAL-issue_assignees = if('issue.assignees{}.login'!="", 'issue.assignees{}.login', null)
 EVAL-issue_assigned_date = if("issue.updated_at"!="" AND action="assigned",  'issue.updated_at', null())
 EVAL-issue_description = if(isnotnull('issue.body'), 'issue.body', null())
@@ -117,7 +120,8 @@ EVAL-repository_organization = if(isnotnull('organization.login'), 'organization
 EVAL-result = "success"
 EVAL-review_author_login = if(isnotnull('review.user.login'), 'review.user.login', null())
 EVAL-review_state = if(isnotnull('review.state'), 'review.state', null())
-EVAL-severity_id = CASE(severity=="critical",4, severity_level=="critical",4, severity=="high",3, severity_level=="high",3, severity=="moderate",2,severity_level=="moderate", 2, true==true, 1)
+EVAL-severity = if(isnotnull(secret_type),"critical","")
+EVAL-severity_id = CASE(severity=="critical",4, severity_level=="critical",4, severity=="high",3, severity_level=="high",3, severity=="moderate",2,severity_level=="moderate", 2, isnotnull(secret_type),4, true=true, 1)
 EVAL-signature = CASE(isnull(alert_description), UPPER(severity) + " Dependency Vulnerability on package " + affected_package_name, 1=1, alert_description)
 EVAL-status_update_date = if(('action'!="" AND isnotnull('issue.updated_at')), 'issue.updated_at', null())
 EVAL-status_current = if(action=="deleted", "deleted", 'issue.state')
@@ -128,6 +132,7 @@ EVAL-xref = if(isnotnull(affected_package_name), affected_package_name, alert_lo
 # Field Aliases
 FIELDALIAS-dependabot = "alert.affected_package_name" AS affected_package_name "alert.external_identifier" AS cve "alert.external_reference" AS url "alert.most_recent_instance.location.path" AS alert_location_path "alert.rule.description" AS alert_description "alert.rule.security_severity_level" AS severity_level "alert.severity" AS severity eventtype AS vendor_product "repository.owner.login" AS user
 FIELDALIAS-RepoAlias = "organization.login" ASNEW organization "repository.name" ASNEW repository_name
+FIELDALIAS-secret = "alert.html_url" AS url "alert.secret_type" AS secret_type "repository.owner.login" AS user
 FIELDALIAS-user = actor AS user
 FIELDALIAS-workflow_changes = action ASNEW command actor_ip ASNEW src document_id ASNEW object_id pull_request_url ASNEW object_path "workflow_run.event" ASNEW command "workflow_run.head_branch" ASNEW branch "workflow_run.head_commit.author.name" ASNEW user "workflow_run.head_repository.full_name" ASNEW repository
 # Field Extractions

From ab5fbcc2fbb9ada6ab6a31889cfa747910c4ccfd Mon Sep 17 00:00:00 2001
From: Doug Erkkila <derkkila@users.noreply.github.com>
Date: Mon, 9 Jan 2023 10:48:51 -0500
Subject: [PATCH 2/6] Update tags.conf

Added SecretScanning event type
---
 github_app_for_splunk/default/tags.conf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/github_app_for_splunk/default/tags.conf b/github_app_for_splunk/default/tags.conf
index 85417e1..b4a35e8 100644
--- a/github_app_for_splunk/default/tags.conf
+++ b/github_app_for_splunk/default/tags.conf
@@ -46,6 +46,12 @@ code = enabled
 release = enabled
 github = enabled
 
+[eventtype=GitHub%3A%3ASecretScanning]
+report = enabled
+secret = enabled
+alert = disabled
+vulnerability = enabled
+
 [eventtype=github%3Aenterprise%3Aauthentication]
 authentication = enabled
 

From 4b8adbc8ac5a8ca632c281ce5b52022697bd21be Mon Sep 17 00:00:00 2001
From: Doug Erkkila <derkkila@users.noreply.github.com>
Date: Tue, 10 Jan 2023 10:51:50 -0500
Subject: [PATCH 3/6] Update appinspect_cli.yml

Trying to force python 3.9
---
 .github/workflows/appinspect_cli.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/appinspect_cli.yml b/.github/workflows/appinspect_cli.yml
index 23eda4d..a5874cb 100644
--- a/.github/workflows/appinspect_cli.yml
+++ b/.github/workflows/appinspect_cli.yml
@@ -16,6 +16,9 @@ on:
 jobs:
   inspect:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.9"]
 
     steps:
       - uses: actions/checkout@v2
@@ -62,5 +65,3 @@ jobs:
         with:
           name: github_app_for_splunk-1.0.0.tar.gz
           path: ./github_app_for_splunk-1.0.0.tar.gz
-
-      

From 7bdc4f048de83673b340281b9e03c0259d696c56 Mon Sep 17 00:00:00 2001
From: Doug Erkkila <derkkila@users.noreply.github.com>
Date: Tue, 10 Jan 2023 10:56:55 -0500
Subject: [PATCH 4/6] Update appinspect_cli.yml

---
 .github/workflows/appinspect_cli.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/appinspect_cli.yml b/.github/workflows/appinspect_cli.yml
index a5874cb..b085b56 100644
--- a/.github/workflows/appinspect_cli.yml
+++ b/.github/workflows/appinspect_cli.yml
@@ -16,13 +16,18 @@ on:
 jobs:
   inspect:
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        python-version: ["3.9"]
 
     steps:
       - uses: actions/checkout@v2
 
+      - name: Set up Python 3.x
+        uses: actions/setup-python@v4
+        with:
+          # Semantic version range syntax or exact version of a Python version
+          python-version: '3.9'
+          # Optional - x64 or x86 architecture, defaults to x64
+          architecture: 'x64'
+
       - name: Install deps
         uses: CultureHQ/actions-yarn@master
         with:

From e91d30c9c0dadbe2396be70cb5c0fd5cc1d7fad3 Mon Sep 17 00:00:00 2001
From: Doug Erkkila <derkkila@users.noreply.github.com>
Date: Tue, 10 Jan 2023 11:14:22 -0500
Subject: [PATCH 5/6] Update appinspect_cli.yml

---
 .github/workflows/appinspect_cli.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/appinspect_cli.yml b/.github/workflows/appinspect_cli.yml
index b085b56..5534df6 100644
--- a/.github/workflows/appinspect_cli.yml
+++ b/.github/workflows/appinspect_cli.yml
@@ -60,7 +60,7 @@ jobs:
           slim package ./github_app_for_splunk
 
       - name: Run App Inspect CLI
-        uses: splunk/appinspect-cli-action@v1
+        uses: splunk/appinspect-cli-action@v1.6
         with:
           app_path: github_app_for_splunk-1.0.0.tar.gz
           included_tags: cloud, splunk_appinspect

From 0bef0803efd2adaedefbffce8e92274cfc7437e1 Mon Sep 17 00:00:00 2001
From: Doug Erkkila <derkkila@users.noreply.github.com>
Date: Tue, 10 Jan 2023 11:35:34 -0500
Subject: [PATCH 6/6] Update appinspect_cli.yml

---
 .github/workflows/appinspect_cli.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/appinspect_cli.yml b/.github/workflows/appinspect_cli.yml
index 5534df6..4ed053d 100644
--- a/.github/workflows/appinspect_cli.yml
+++ b/.github/workflows/appinspect_cli.yml
@@ -60,7 +60,7 @@ jobs:
           slim package ./github_app_for_splunk
 
       - name: Run App Inspect CLI
-        uses: splunk/appinspect-cli-action@v1.6
+        uses: splunk/appinspect-cli-action@v1.5
         with:
           app_path: github_app_for_splunk-1.0.0.tar.gz
           included_tags: cloud, splunk_appinspect

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://clevelandohioweatherforecast.com/php-proxy/index.php?q=https://github.com/splunk/github_app_for_splunk/compare/v1.3.0...v1.3.1.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/index.php?u=https://github.com/splunk/github_app_for_splunk/compare/v1.3.0...v1.3.1.patch" target="_blank">pFad Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/v3index.php?u=https://github.com/splunk/github_app_for_splunk/compare/v1.3.0...v1.3.1.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/v4index.php?u=https://github.com/splunk/github_app_for_splunk/compare/v1.3.0...v1.3.1.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>