Initial version.

Author: achton

.gitignore

@@ -0,0 +1,2 @@
+vendor/
+docker-compose.override.yml

Dockerfile

@@ -0,0 +1,15 @@
+# -----------------
+FROM composer:1.9 AS build-env
+
+COPY . /opt/ghsec-jira/
+
+WORKDIR /opt/ghsec-jira
+
+RUN composer install --prefer-dist --no-dev
+
+# -----------------
+FROM php:7.3.12-alpine
+
+COPY --from=build-env /opt/ghsec-jira/ /opt/ghsec-jira/
+
+ENTRYPOINT ["/opt/ghsec-jira/bin/ghsec-jira", "sync"]

README.md

@@ -1,2 +1,77 @@
 # github-security-jira
-Github Action for integrating Security Alerts with JIRA
+GitHub Action for mapping security alerts to Jira tickets.
+
+
+## Setup
+
+You need the following pieces set up to sync alerts with Jira:
+
+1. Two repo secrets containing a GitHub access token and a Jira API token, respectively.
+2. A workflow file which runs the action on a schedule, continually creating new tickets when necessary.
+
+
+### Repo secrets
+The `reload/github-security-jira` action requires you to [create two encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets#creating-encrypted-secrets) in the repo:
+
+1. A secret called `GitHubSecurityToken` which should contain a [Personal Access Token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) for the GitHub user under which this action should be executed. The token must include the `public_repo` scope if checking only public repos, or the `repo` scope for use on private repos. Also, the user must have [access to security alerts in the repo](https://help.github.com/en/github/managing-security-vulnerabilities/managing-alerts-for-vulnerable-dependencies-in-your-organization).
+2. A secret called `JiraApiToken` containing an [API Token](https://confluence.atlassian.com/cloud/api-tokens-938839638.html) for the Jira user that should be used to create tickets.
+
+
+### Workflow file setup
+The [GitHub workflow file](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/configuring-a-workflow#creating-a-workflow-file) should reside in any repo where you want to sync security alerts with Jira.
+
+It has some required and some optional settings, which are passed to the action as environment variables:
+
+- `GH_SECURITY_TOKEN`: A reference to the repo secret `GitHubSecurityToken` (**REQUIRED**)
+- `JIRA_TOKEN`: A reference to the repo secret `JiraApiToken` (**REQUIRED**)
+- `JIRA_HOST`: The endpoint for your Jira instance, e.g. https://foo.atlassian.net (**REQUIRED**)
+- `JIRA_USER`: The ID of the Jira user which is associated with the 'JiraApiToken' secret, eg '[email protected]' (**REQUIRED**)
+- `JIRA_PROJECT`: The project key for the Jira project where issues should be created, eg `TEST` or `ABC`. (**REQUIRED**)
+- `JIRA_ISSUE_TYPE`: Type of issue to create, e.g. `Security`. Defaults to `Bug`. (*Optional*)
+- `JIRA_WATCHERS`: Jira users to add as watchers to tickets. Use the [YAML block scalar literal style indicator with stripping chomping indicator](https://yaml-multiline.info/) (pipe and dash: `|-`) to add multiple watchers. (*Optional*)
+- `JIRA_RESTRICTED_GROUP`: If set, the action will add a restricted comment to the ticket, viewable by only this Jira group. (*Optional*)
+- `JIRA_RESTRICTED_COMMENT`: The comment to post. Use the YAML multiline operator for adding linebreaks to the comment. (*Optional, but required if group is set*)
+
+Here is an example setup which runs this action every 15 mins.
+
+```yaml
+name: GitHub Security Alerts for Jira
+
+on:
+  schedule:
+    - cron: '*/15 * * * *'
+
+jobs:
+  syncSecurityAlerts:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Sync security alerts to Jira issues"
+        uses: reload/[email protected]
+        env:
+          GH_SECURITY_TOKEN: ${{ secrets.GitHubSecurityToken }}
+          JIRA_TOKEN: ${{ secrets.JiraApiToken }}
+          JIRA_HOST: https://foo.atlassian.net
+          JIRA_USER: [email protected]
+          JIRA_PROJECT: ABC
+          JIRA_ISSUE_TYPE: Security
+          JIRA_WATCHERS: |-
+            [email protected]
+            [email protected]
+          JIRA_RESTRICTED_GROUP: Developers
+          JIRA_RESTRICTED_COMMENT: |-
+            Remember to evaluate severity here and set ticket priority.
+            Check out the guide [in our wiki|https://foo.atlassian.net/wiki/]!
+```
+
+
+## Local development
+
+Copy `docker-composer.override.example.yml` to `docker-composer.override.yml` and edit according to your settings.
+
+After that, you can execute the Symfony console app like so:
+
+```
+docker-compose run --rm ghsec-jira --verbose --dry-run
+```
+
+Remove the `--dry-run` option to actually create issues in Jira.

action.yaml

@@ -0,0 +1,12 @@
+name: 'Sync GitHub Security Alerts with Jira'
+description: 'Synchronize the current repo alert state with JIRA and creates tickets accordingly.'
+author: 'reload'
+outputs:
+  result:
+    description: 'A string summarizing actions performed'
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
+branding:
+  icon: 'rotate-cw'
+  color: 'green'

bin/ghsec-jira

@@ -0,0 +1,18 @@
+#!/usr/bin/env php
+<?php
+
+require __DIR__.'/../vendor/autoload.php';
+
+use Symfony\Component\Console\Application;
+use GitHubSecurityJira\SyncCommand;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+
+$application = new Application('ghsec-jira');
+$command = new SyncCommand();
+
+$application->add($command);
+$application->setDefaultCommand('sync');
+$application->run();

composer.json

@@ -0,0 +1,17 @@
+{
+    "name": "reload/github-security-jira",
+    "description": "Create Jira tickets for GitHub security alerts",
+    "license": "MIT",
+    "require": {
+        "php": ">=7.2.0",
+        "lesstif/php-jira-rest-client": "^1",
+        "softonic/graphql-client": "^1.2",
+        "symfony/console": "^4",
+        "symfony/yaml": "^5.0"
+    },
+    "autoload": {
+        "psr-4": {
+            "GitHubSecurityJira\\": "src/"
+        }
+    }
+}