Secret Scanning Scripts - List Resolved Alerts and Change Resolved Alerts Back to Open (#97)

* checks commit sizes for entire repo and specific hash

* feat: add descriptions for git-commit-analyzer.sh and git-repo-commit-analyzer.sh scripts

* feat: add scripts to manage GitHub secret scanning alerts

* docs: add secret scanning scripts to readme

---------

Co-authored-by: Josh Johanning <[email protected]>

Author: mickeygousset

scripts/README.md

@@ -78,6 +78,10 @@ Docs:
 - [Generating an installation access token for a GitHub App](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app#generating-an-installation-access-token)
 - [List installations for the authenticated app](https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#list-installations-for-the-authenticated-app)
 
+## get-list-of-resolved-secret-scanning-alerts.sh
+
+This script retrieves and lists all resolved secret scanning alerts for a specified GitHub repository. It uses the GitHub API to fetch the alerts and displays them in a tabular format.
+
 ## get-new-outside-collaborators-added-to-repository.sh
 
 This script will generate a list of new outside collaborators added to a repository. It uses a database file specified to determine if any new users were added to the repository and echo them to the console for review.
@@ -135,6 +139,10 @@ These are scripts used with [`multi-gitter`](https://github.com/lindell/multi-gi
 
 See: [recreate-security-in-repositories-and-teams](./recreate-security-in-repositories-and-teams/README.md)
 
+## set-secret-scanning-alert-to-open-state.sh
+
+This script reopens a resolved secret scanning alert in a specified GitHub repository and optionally adds a comment.
+
 ## update-codeowners-mappings.js
 
 Update CODEOWNERS mappings of teams in a GitHub repository (e.g.: after a migration if the team/org names change). This script will update the CODEOWNERS file in a GitHub repository with the mappings provided in the `codeowners-mappings.csv` file.

scripts/get-list-of-resolved-secret-scanning-alerts.sh

@@ -0,0 +1,129 @@
+#!/bin/bash
+
+# -----------------------------------------------------------------------------
+# Script Name: get-list-of-resolved-secret-scanning-alerts.sh
+# Description: This script retrieves and lists all resolved secret scanning 
+#              alerts for a specified GitHub repository. It uses the GitHub API 
+#              to fetch the alerts and displays them in a tabular format.
+#
+# Usage:
+#   ./get-list-of-resolved-secret-scanning-alerts.sh -o <organization> -r <repository> [-t <token>]
+#
+# Parameters:
+#   -o <organization>  GitHub organization name (required)
+#   -r <repository>    GitHub repository name (required)
+#   -t <token>         GitHub personal access token (optional, will use GITHUB_TOKEN 
+#                      environment variable if not provided)
+#   -h                 Display help message
+#
+# Requirements:
+#   - curl: Command-line tool for making HTTP requests
+#   - jq: Command-line JSON processor
+#
+# Notes:
+#   - The script supports pagination to handle repositories with a large number 
+#     of resolved alerts.
+#   - The GitHub token must have the necessary permissions to access secret 
+#     scanning alerts for the specified repository.
+# -----------------------------------------------------------------------------
+
+# Function to display usage information
+function display_usage {
+    echo "Usage: $0 -o <organization> -r <repository> [-t <token>]"
+    echo "  -o <organization>  GitHub organization name"
+    echo "  -r <repository>    GitHub repository name" 
+    echo "  -t <token>         GitHub personal access token (optional, will use GITHUB_TOKEN env var if not provided)"
+    echo "  -h                 Display this help message"
+    exit 1
+}
+
+# Parse command line arguments
+while getopts "o:r:t:h" opt; do
+    case ${opt} in
+        o ) org_name=$OPTARG ;;  # GitHub organization name
+        r ) repo_name=$OPTARG ;; # GitHub repository name
+        t ) github_token=$OPTARG ;; # GitHub personal access token
+        h ) display_usage ;; # Display help message
+        \? ) display_usage ;; # Handle invalid options
+    esac
+done
+
+# Check if required parameters are provided
+if [ -z "$org_name" ] || [ -z "$repo_name" ]; then
+    echo "Error: Organization name and repository name are required."
+    display_usage
+fi
+
+# If token not provided as argument, try to use GITHUB_TOKEN environment variable
+if [ -z "$github_token" ]; then
+    github_token=$GITHUB_TOKEN
+    if [ -z "$github_token" ]; then
+        echo "Error: GitHub token not provided. Either provide it with -t option or set the GITHUB_TOKEN environment variable."
+        exit 1
+    fi
+fi
+
+# Set API URL for secret scanning alerts with state=resolved
+api_url="https://api.github.com/repos/$org_name/$repo_name/secret-scanning/alerts?state=resolved&per_page=100"
+page=1
+total_alerts=0
+
+# Display header for the output table
+echo "Retrieving resolved secret scanning alerts for $org_name/$repo_name..."
+echo "--------------------------------------------------------------------"
+echo "| Alert ID | Created At | Resolved At | Secret Type | Resolution |"
+echo "--------------------------------------------------------------------"
+
+# Loop through paginated results
+while true; do
+    # Make API request
+    response=$(curl -s -H "Authorization: token $github_token" \
+                    -H "Accept: application/vnd.github.v3+json" \
+                    -H "X-GitHub-Api-Version: 2022-11-28" \
+                    "$api_url&page=$page")
+    
+    # Check if response contains error
+    if echo "$response" | grep -q "message"; then
+        error_message=$(echo "$response" | grep -o '"message":"[^"]*' | cut -d'"' -f4)
+        echo "Error: $error_message"
+        exit 1
+    fi
+    
+    # Check if response is empty array
+    if [ "$response" = "[]" ]; then
+        break
+    fi
+    
+    # Count the number of alerts in this page and add to total
+    page_alerts=$(echo "$response" | jq '. | length')
+    total_alerts=$((total_alerts + page_alerts))
+    
+    # Process and display alerts
+    echo "$response" | jq -r '.[] | [.number, .created_at, .resolved_at, .secret_type, .resolution] | @tsv' | 
+    while read -r alert_id created_at resolved_at secret_type resolution; do
+        # Format dates for better readability
+        created_date=$(date -d "$created_at" "+%Y-%m-%d %H:%M" 2>/dev/null || echo "$created_at")
+        resolved_date=$(date -d "$resolved_at" "+%Y-%m-%d %H:%M" 2>/dev/null || echo "$resolved_at")
+        
+        printf "| %-8s | %-19s | %-19s | %-20s | %-10s |\n" \
+               "$alert_id" "$created_date" "$resolved_date" "$secret_type" "$resolution"
+    done
+    
+    # Check if there are more pages
+    link_header=$(curl -s -I -H "Authorization: token $github_token" \
+                       -H "Accept: application/vnd.github.v3+json" \
+                       -H "X-GitHub-Api-Version: 2022-11-28" \
+                       "$api_url&page=$page" | grep -i "link:")
+    
+    if ! echo "$link_header" | grep -q 'rel="next"'; then
+        break
+    fi
+    
+    ((page++))
+done
+
+# Display footer and total count
+echo "--------------------------------------------------------------------"
+echo "Total resolved secret scanning alerts found: $total_alerts"
+echo ""
+echo "Note: This script requires 'curl' and 'jq' to be installed."

scripts/set-secret-scanning-alert-to-open-state.sh

@@ -0,0 +1,93 @@
+#!/bin/bash
+
+# -----------------------------------------------------------------------------
+# Script Name: set-secret-scanning-alert-to-open-state.sh
+# Description: This script reopens a resolved secret scanning alert in a 
+#              specified GitHub repository and optionally adds a comment.
+#
+# Usage:
+#   ./set-secret-scanning-alert-to-open-state.sh -o <organization> -r <repository> -a <alert_id> [-c <comment>] [-t <token>]
+#
+# Parameters:
+#   -o <organization>  GitHub organization name (required)
+#   -r <repository>    GitHub repository name (required)
+#   -a <alert_id>      Secret scanning alert ID (required)
+#   -c <comment>       Comment to add when reopening the alert (optional)
+#   -t <token>         GitHub personal access token (optional, will use GITHUB_TOKEN 
+#                      environment variable if not provided)
+#   -h                 Display help message
+#
+# Requirements:
+#   - curl: Command-line tool for making HTTP requests
+#   - jq: Command-line JSON processor
+#
+# Notes:
+#   - The GitHub token must have the necessary permissions to update secret 
+#     scanning alerts for the specified repository.
+# -----------------------------------------------------------------------------
+
+# Function to display usage information
+function display_usage {
+    echo "Usage: $0 -o <organization> -r <repository> -a <alert_id> [-c <comment>] [-t <token>]"
+    echo "  -o <organization>  GitHub organization name"
+    echo "  -r <repository>    GitHub repository name"
+    echo "  -a <alert_id>      Secret scanning alert ID"
+    echo "  -c <comment>       Comment to add when reopening the alert (optional)"
+    echo "  -t <token>         GitHub personal access token (optional, will use GITHUB_TOKEN env var if not provided)"
+    echo "  -h                 Display this help message"
+    exit 1
+}
+
+# Parse command line arguments
+while getopts "o:r:a:c:t:h" opt; do
+    case ${opt} in
+        o ) org_name=$OPTARG ;;  # GitHub organization name
+        r ) repo_name=$OPTARG ;; # GitHub repository name
+        a ) alert_id=$OPTARG ;;  # Secret scanning alert ID
+        c ) comment=$OPTARG ;;   # Optional comment
+        t ) github_token=$OPTARG ;; # GitHub personal access token
+        h ) display_usage ;;     # Display help message
+        \? ) display_usage ;;    # Handle invalid options
+    esac
+done
+
+# Check if required parameters are provided
+if [ -z "$org_name" ] || [ -z "$repo_name" ] || [ -z "$alert_id" ]; then
+    echo "Error: Organization name, repository name, and alert ID are required."
+    display_usage
+fi
+
+# If token not provided as argument, try to use GITHUB_TOKEN environment variable
+if [ -z "$github_token" ]; then
+    github_token=$GITHUB_TOKEN
+    if [ -z "$github_token" ]; then
+        echo "Error: GitHub token not provided. Either provide it with -t option or set the GITHUB_TOKEN environment variable."
+        exit 1
+    fi
+fi
+
+# Set API URL for the specific secret scanning alert
+api_url="https://api.github.com/repos/$org_name/$repo_name/secret-scanning/alerts/$alert_id"
+
+# Make API request to update the alert's state to "open"
+response=$(curl -s -X PATCH -H "Authorization: token $github_token" \
+                -H "Accept: application/vnd.github.v3+json" \
+                -H "X-GitHub-Api-Version: 2022-11-28" \
+                -d "{\"state\": \"open\", \"resolution_comment\": \"$comment\"}" \
+                "$api_url")
+
+# Check if the response contains an error
+if echo "$response" | grep -q "message"; then
+    error_message=$(echo "$response" | grep -o '"message":"[^"]*' | cut -d'"' -f4)
+    echo "Error: $error_message"
+    exit 1
+fi
+
+# Confirm the state change
+new_state=$(echo "$response" | jq -r '.state')
+if [ "$new_state" == "open" ]; then
+    echo "Success: Secret scanning alert $alert_id has been changed to 'open'."
+else
+    echo "Error: Failed to change the state of alert $alert_id to 'open'."
+    exit 1
+fi