https://github.com/richlamdev/aws-dependabot-slack-team-reporter
https://github.com/richlamdev/aws-dependabot-slack-team-reporter
Last synced: about 1 year ago
JSON representation
- Host: GitHub
- URL: https://github.com/richlamdev/aws-dependabot-slack-team-reporter
- Owner: richlamdev
- License: mit
- Created: 2025-06-04T05:30:59.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2025-06-04T22:08:58.000Z (about 1 year ago)
- Last Synced: 2025-06-05T02:58:39.818Z (about 1 year ago)
- Language: Python
- Size: 9.77 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# AWS Dependabot Slack Team Reporter
## ๐งฉ Overview
This setup deploys a Lambda that performs the following tasks:
1. Utilizes a GitHub App for authentication
2. Reads repositories to parse `.github/CODEOWNERS`
-in the absence of CODEOWNERS file, the `security team` becaomes the default
(this is to have the security team track down and assign appropriate ownership)
3. Obtains a list of non-archived repositories
4. Fetches Dependabot alerts for each repository
5. Posts alerts to Slack channels based on team ownership
---
## ๐ฆ Design
This architecture is templated for two lambda deployments that are nearly identical. Why?
1. Allows for convenient deployment in the same AWS account, without conflicts of resource names
2. Enables deploying two lambdas for different GitHub organizations,
---
## ๐ Deployment
### Prerequisites
- AWS CLI and [AWS SAM CLI](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/install-sam-cli.html)
- GitHub App credentials stored in **AWS Secrets Manager**
Preferably all Github repositories have the ./github/CODEOWNERS file populated
- Slack Webhook URLs mapped to team names
***Note**: The GitHub App must have the `metadata: read`, `contents: read` and `dependabot: read` permission
### 1. Clone the repo
```
git clone https://github.com/richlamdev/aws-dependabot-slack-team-reporter.git
cd aws-dependabot-slack-team-reporter
```
### 2. Set environment variables
Set the following Parameter variable in the template file, or change it when prompted during guided deployment
- `GitHubOrg` โ Your GitHub organization name
Set the following values in AWS Secrets manager:
- `GITHUB_APP_ID` โ GitHub App ID
- `GITHUB_APP_PEM` โ GitHub App PEM key
- `TEAM_TO_CHANNEL` โ JSON map of team slugs to Slack webhook URLs
After setting the above values in AWS Secrets manager, replace the placeholder ARNs in the template.yaml file
Example `SLACK_TEAM_MAPPING`:
```json
{
"frontend": "https://hooks.slack.com/services/XXX/YYY/ZZZ",
"backend": "https://hooks.slack.com/services/AAA/BBB/CCC",
"security": "https://hooks.slack.com/services/DEF/GHI/JKL"
}
```
While it is possible to have the GITHUB_APP_ID and GITHUB_APP_SECRET_NAME in the same secret as a JSON blob,
it involves additional steps to format the PEM correctly for storage as well as parse the PEM key accordingly
during retrieval. By keeping it a separate secret it's a straight forward copy and paste to store the key,
and likewise keeps the retrieval simple.
### 3. Deploy with AWS SAM
Authenticate to AWS via CLI.
Enter the appropriate directory for deployment
```
cd deployments/staging
```
or
```
cd deployments/production
```
Then execute the following commands:
```
sam build
sam deploy --guided
```
Follow the prompts to configure the deployment stack, region, and parameters.
Optionally, monitor the CloudFormation stack in the AWS Management Console.
When the stack is complete, you can find the Lambda function ARN in the Outputs section.
Verify the environment variable, the Lambda role, and Eventbridge schedule and test the lambda.
Check the CloudWatch logs for errors and verify any updates to the Slack channels.
---
## ๐ ๏ธ Configuration
The Lambda uses the following AWS resources:
- **Secrets Manager** for storing GitHub App private key
- **EventBridge** cron for scheduling scans
- **Policies** with minimal required permissions
- **Tags** to indicate ownership and deployment or resources. (Who doesn't tag their resources? /sarcasm)
GitHub App must have these permissions:
- `metadata: read`
- `contents: read`
- `dependabot: read`
---
## ๐งช Testing
You can test the Lambda functions locally using the SAM CLI (docker desktop or docker engine must be running):
```
sam build && sam local invoke DependabotFunction
```
---
## ๐ Project Structure
```
.
โ
โโโ deployments/
โ โ
โ โโโ production/
โ โ โโโ template.yaml # Production account template
โ โ
โ โโโ staging/
โ โโโ template.yaml # Staging account template
โ
โโโ src/
โโโ dependabot-slack-team.py # Entrypoint for scheduled Lambda
โโโ requirements.txt # Python dependencies
```
---
## ๐ฅ Contributing
Pull requests are welcome! For major changes, please open an issue first to discuss the proposal.
---
## ๐ก License
[MIT](LICENSE)
---
## ๐ฌ Maintainer
Created by [@richlamdev](https://github.com/richlamdev)