name: Security Alert Monitoring
on:
schedule:
# Run weekly on Sundays to avoid conflicts and reduce resource usage
- cron: "0 8 * * 0"
workflow_dispatch:
inputs:
fail_on_issues:
description: "Fail workflow on security issues"
required: false
default: true
type: boolean
push:
branches: [main]
paths:
- "simplenote_mcp/**"
- ".github/workflows/**"
- "pyproject.toml"
env:
GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
GITHUB_REPOSITORY_NAME: ${{ github.event.repository.name }}
jobs:
security-monitoring:
name: Monitor Security Alerts
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: read
security-events: read
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@v5
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Run security alert monitoring
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
python .github/scripts/monitor-security-alerts.py \
${{ inputs.fail_on_issues == false && '--no-fail' || '' }}
- name: Upload security report
if: always()
uses: actions/upload-artifact@v4
with:
name: security-alert-report
path: security_alert_report_*.md
retention-days: 30
- name: Comment on PR if security issues found
if: failure() && github.event_name == 'push'
uses: actions/github-script@v7
with:
script: |
// Only run on pull requests
if (context.eventName !== 'pull_request') return;
const fs = require('fs');
const path = require('path');
// Find the latest report file
const files = fs.readdirSync('.');
const reportFile = files.find(f => f.startsWith('security_alert_report_'));
if (reportFile) {
const reportContent = fs.readFileSync(reportFile, 'utf8');
await github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `## 🚨 Security Alert Detected\n\n${reportContent}\n\n---\n*This comment was automatically generated by the Security Monitoring workflow.*`
});
}
notify-on-critical:
name: Notify on Critical Issues
runs-on: ubuntu-latest
needs: security-monitoring
if: failure()
permissions:
contents: read
steps:
- name: Notify security team
if: github.event_name == 'schedule'
uses: ./.github/workflows/notifications.yml
with:
status: "failure"
title: "🚨 Critical Security Alert Detected"
message: "Security monitoring detected critical issues in ${{ github.repository }}. Immediate attention required."
workflow_url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
update-security-baseline:
name: Update Security Baseline
runs-on: ubuntu-latest
needs: security-monitoring
if: success() && github.event_name == 'workflow_dispatch'
permissions:
contents: write
pull-requests: write
steps:
- name: Checkout repository
uses: actions/checkout@v5
- name: Update security baseline
run: |
# Update the baseline of known fixed alerts
echo "# Security Baseline - $(date)" > SECURITY_BASELINE.md
echo "" >> SECURITY_BASELINE.md
echo "This file tracks the security baseline for the repository." >> SECURITY_BASELINE.md
echo "Last updated: $(date)" >> SECURITY_BASELINE.md
echo "" >> SECURITY_BASELINE.md
echo "## Current Status" >> SECURITY_BASELINE.md
echo "- No active security alerts" >> SECURITY_BASELINE.md
echo "- Security monitoring: ✅ PASSING" >> SECURITY_BASELINE.md
- name: Create Pull Request
if: success()
uses: peter-evans/create-pull-request@v7
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: "📊 Update security baseline"
title: "Update Security Baseline"
body: |
## Security Baseline Update
This PR updates the security baseline after successful security monitoring.
### Changes
- Updated security baseline timestamp
- Confirmed no active security alerts
### Verification
- ✅ Security monitoring passed
- ✅ No regressions detected
- ✅ All critical fixes maintained
---
*This PR was automatically created by the Security Monitoring workflow.*
branch: security/update-baseline
delete-branch: true
