Skip to content

A tool for regularly querying vulnerabilities detected by 3rd party tools and reporting them back to your teams

License

Notifications You must be signed in to change notification settings

underdog-tech/vulnbot

Repository files navigation

Vulnbot

GitHub release (latest SemVer) GitHub Go Report Card Go CodeQL codecov

This project aspires to be a bot for pulling in security and vulnerability alerts from all data sources you might have, and reporting them out to your appropriate systems.

Our currently supported data sources are:

  • GitHub (Dependabot)

Our currently supported reporting systems are:

  • Console
  • Slack

Getting Started

To get started, you will want to first set up a .env file with the following:

SLACK_AUTH_TOKEN=insert_slack_token_here
GITHUB_TOKEN=insert_github_token_here
GITHUB_ORG=github_org_name

The env.example file can be used as a template for this.

The GitHub token will need the following scopes: public_repo, read:org, read:user, and security_events.

You will then want to construct a config.toml, an example for which can be found in config.example.toml.

Once these files are in place, simply run go run . or go build . && ./vulnbot!

Alternately you can run this in Docker:

docker build . -t vulnbot
docker run --env-file .env -v ./config.toml:/app/config.toml vulnbot

Building and running a Docker image would be helpful if, for example, you wanted to run this as part of a regularly scheduled CI/CD job.

Documentation

At the moment, our documentation consists primarily of developer and architecture docs. These can be found in the docs/ folder, as well as at https://pkg.go.dev/github.com/underdog-tech/vulnbot.