diff --git a/.github/actions/appinspect_publish/Dockerfile b/.github/actions/appinspect_publish/Dockerfile
new file mode 100644
index 0000000..ded4720
--- /dev/null
+++ b/.github/actions/appinspect_publish/Dockerfile
@@ -0,0 +1,14 @@
+# Container image that runs your code
+FROM python:3-slim AS builder
+
+# Copies your code file from your action repository to the filesystem path `/` of the container
+ADD . /app
+WORKDIR /app
+
+RUN pip install --target=/app requests
+
+# Code file to execute when the docker container starts up (`entrypoint.sh`)
+FROM gcr.io/distroless/python3-debian10
+COPY --from=builder /app /app
+ENV PYTHONPATH /app
+CMD ["/app/publish.py"]
\ No newline at end of file
diff --git a/.github/actions/appinspect_publish/README.md b/.github/actions/appinspect_publish/README.md
new file mode 100644
index 0000000..99a7635
--- /dev/null
+++ b/.github/actions/appinspect_publish/README.md
@@ -0,0 +1,21 @@
+# Hello world javascript action
+
+This action prints "Hello World" or "Hello" + the name of a person to greet to the log.
+
+## Inputs
+
+## `who-to-greet`
+
+**Required** The name of the person to greet. Default `"World"`.
+
+## Outputs
+
+## `time`
+
+The time we greeted you.
+
+## Example usage
+
+uses: actions/hello-world-javascript-action@v1.1
+with:
+ who-to-greet: 'Mona the Octocat'
\ No newline at end of file
diff --git a/.github/actions/appinspect_publish/action.yml b/.github/actions/appinspect_publish/action.yml
new file mode 100644
index 0000000..7644449
--- /dev/null
+++ b/.github/actions/appinspect_publish/action.yml
@@ -0,0 +1,30 @@
+name: 'Hello World'
+description: 'Greet someone and record the time'
+inputs:
+ APP_ID:
+ description: 'App ID From Splunkbase'
+ required: true
+ default: '5596'
+ SPLUNK_USERNAME:
+ description: 'Splunkbase Username'
+ required: true
+ SPLUNK_PASSWORD:
+ description: 'Splunkbase Password'
+ required: true
+ APP_FILE:
+ description: 'The name of the file, for example "my_package.tar.gz".'
+ required: true
+ SPLUNK_VERSION:
+ description: 'The Splunk version(s) that the release is compatible with. For example, "6.7,7.0".'
+ required: true
+ VISIBILITY:
+ description: 'true = The release is to be visible upon package validation success. false = if the release is to be hidden.'
+ required: false
+ default: 'false'
+ CIM_VERSIONS:
+ description: 'The CIM version(s) that the release is compatible with. For example, "4.9,4.7".'
+ required: false
+ default: ''
+runs:
+ using: 'docker'
+ image: 'Dockerfile'
\ No newline at end of file
diff --git a/.github/actions/appinspect_publish/publish.py b/.github/actions/appinspect_publish/publish.py
new file mode 100644
index 0000000..8b8adcb
--- /dev/null
+++ b/.github/actions/appinspect_publish/publish.py
@@ -0,0 +1,35 @@
+import os
+import requests
+from requests.auth import HTTPBasicAuth
+
+APP_ID= os.environ['INPUT_APP_ID']
+filepath = os.environ['INPUT_APP_FILE']
+SPLUNK_USERNAME = os.environ['INPUT_SPLUNK_USERNAME']
+SPLUNK_PASSWORD = os.environ['INPUT_SPLUNK_PASSWORD']
+SPLUNK_VERSION = os.environ['INPUT_SPLUNK_VERSION']
+VISIBILITY = os.environ['INPUT_VISIBILITY']
+CIM_VERSIONS = os.environ['INPUT_CIM_VERSIONS']
+
+api_path = 'https://splunkbase.splunk.com/api/v1/app/{}/new_release'.format(APP_ID)
+
+auth = HTTPBasicAuth(SPLUNK_USERNAME, SPLUNK_PASSWORD)
+
+files = {
+ 'files[]': open(filepath, 'rb'),
+ 'filename': (None, os.path.basename(filepath)),
+ 'splunk_versions': (None, SPLUNK_VERSION),
+ 'visibility': (None, VISIBILITY),
+ 'cim_versions': (None, CIM_VERSIONS)
+}
+
+response = requests.post(api_path, files=files, auth=auth)
+
+print(response.status_code)
+print(response.text)
+
+# if status code is not 200, print the response text
+if response.status_code != 200:
+ response.raise_for_status()
+ exit(response.status_code)
+else:
+ exit(0)
diff --git a/.github/workflows/appinspect_api.yml b/.github/workflows/appinspect_api.yml
index 8a6f02b..cd12212 100644
--- a/.github/workflows/appinspect_api.yml
+++ b/.github/workflows/appinspect_api.yml
@@ -51,3 +51,11 @@ jobs:
env:
GHR_PATH: ./dist/github_app_for_splunk.spl
GITHUB_TOKEN: ${{ secrets.API_TOKEN }}
+ - name: Hello world action step
+ uses: ./.github/actions/appinspect_publish # Uses an action in the root directory
+ with:
+ APP_ID: '5596'
+ APP_FILE: './dist/github_app_for_splunk.spl'
+ SPLUNK_USERNAME: ${{ secrets.SPLUNKBASE_USER }}
+ SPLUNK_PASSWORD: ${{ secrets.SPLUNKBASE_PASSWORD }}
+ SPLUNK_VERSION: '8.0,8.1'
diff --git a/.github/workflows/appinspect_cli.yml b/.github/workflows/appinspect_cli.yml
index c0c0e6c..23eda4d 100644
--- a/.github/workflows/appinspect_cli.yml
+++ b/.github/workflows/appinspect_cli.yml
@@ -62,3 +62,5 @@ jobs:
with:
name: github_app_for_splunk-1.0.0.tar.gz
path: ./github_app_for_splunk-1.0.0.tar.gz
+
+
diff --git a/.gitignore b/.gitignore
index 2d3f6b3..11a4e9c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -114,7 +114,6 @@ out
# Nuxt.js build / generate output
.nuxt
-dist
# Gatsby files
.cache/
diff --git a/docs/github_webhooks.MD b/docs/github_webhooks.MD
index 140d3ae..cd21373 100644
--- a/docs/github_webhooks.MD
+++ b/docs/github_webhooks.MD
@@ -69,5 +69,14 @@ Once that is complete and webhooks are triggering, you'll want to update the mac
| Code scanning alerts |
Alerts identified by CodeQL and other 3rd party/OSS scanning tools. |
-
+
+| GitHub::VulnerabilityAlert |
+Repository vulnerability alerts |
+Dependabot alert (aka dependency vulnerability alert) created, resolved, or dismissed on a repository. |
+
+
+| GitHub::SecretScanning |
+Secret scanning alerts |
+Secrets scanning alert created, resolved, or reopened. |
+
diff --git a/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml b/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml
index f76d40b..80a681f 100644
--- a/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml
+++ b/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml
@@ -168,7 +168,7 @@
Resolved Alert Count
- | search status IN("dismiss","resolve","closed_by_user","fixed")| stats count
+ | search status IN("dismiss","resolve","resolved","closed_by_user","fixed")| stats count
diff --git a/github_app_for_splunk/default/eventtypes.conf b/github_app_for_splunk/default/eventtypes.conf
index 08ab58f..a0aa6a9 100644
--- a/github_app_for_splunk/default/eventtypes.conf
+++ b/github_app_for_splunk/default/eventtypes.conf
@@ -35,9 +35,10 @@ search = `github_webhooks` action IN ("submitted","edited","dismissed") pull_req
search = `github_webhooks` after=* before=* "commits{}.id"=* ref=* "pusher.name"=*
[GitHub::Release]
-search = `github_webhooks` action IN ("released","published") release.id=*
+search = `github_webhooks` action IN ("released","published", "created", "prereleased") release.id=*
[GitHub::Release::Push]
+color = et_blue
search = `github_webhooks` after=* before=* ref=refs/tags*
[GitHub::Repo]
@@ -47,7 +48,7 @@ search = `github_webhooks` action IN ("created","deleted","archived","unarchived
search = `github_webhooks` action IN ("created", "resolved") "alert.secret_type"=*
[GitHub::VulnerabilityAlert]
-search = `github_webhooks` action IN ("create", "dismiss", "resolve") "alert.external_identifier"=*
+search = `github_webhooks` action IN ("create", "dismiss", "resolve") "alert.external_identifier"=* affected_package_name=*
[GitHub::Workflow]
search = `github_webhooks` workflow.id=* action IN("requested","completed")
@@ -57,3 +58,6 @@ search = `github_webhooks` workflow_job.id=* action IN("queued","in_progress","c
[github:enterprise:authentication]
search = `github_source` sourcetype=GithubEnterpriseServerAuditLog app=* authentication_service=* signature=*
+
+[github_fork]
+search = `github_json` is_fork="true" src_user_type=User
diff --git a/github_app_for_splunk/default/tags.conf b/github_app_for_splunk/default/tags.conf
index 1eece52..151b071 100644
--- a/github_app_for_splunk/default/tags.conf
+++ b/github_app_for_splunk/default/tags.conf
@@ -18,3 +18,7 @@ vulnerability = enabled
[eventtype=github%3Aenterprise%3Aauthentication]
authentication = enabled
+
+[eventtype=github_fork]
+audit = enabled
+change = enabled