Vellere: exposing Github vulnerability notifications to Slack

May 24, 2019

Python Tools 

Originally posted at https://tech.labs.oliverwyman.com/blog/2019/05/24/vellere/

A few years ago, Github introduced vulnerability alerts on repositories and although it was initially just for Javascript and Ruby, they’ve since expanded it to Python, Java and .Net and I’m guessing more languages are also on their roadmap. It’s a useful feature, except for one problem: it’s notifications are poorly implemented. They appear to admins of a repository, only when you log in to Github, and there’s no easy way to look over an entire organisation. As a result, I find myself mostly ignoring them. Every so often I trawl through and do some updates, but I’ve been wondering how to make this more usable. There’s an email notification mechanism in there, but at that point I’m again likely to ignore them. So, how can I share the pain? How can I get everyone on my project team looking at things like this?

So I made Vellere, a tool for browsing the security vulnerabilities in your repositories, with the option to send notifications to Slack. Given you’ve probably (we certainly do) got at least one Slack channel for each active project, telling it about the project channel means that everyone gets told ASAP when new vulnerabilities turn up. It uses a combination of the Github GraphQL API for periodic polling, plus webhooks to be notified at the time of vulnerability discovery. It also keeps track of the resolved vulnerabilities, which given the Github UI has a tendency to just delete them once they’ve been resolved is helpful to know they weren’t just some sort of weird software mirage.

There’s a live version currently running on my Wharf instance, or you can go and get the source and make your own.

Previously: AWS Lambda and Actix: easy conversion of small web apps into serverless