Immediate notifications for critical vulnerabilities

[mheadd]

Can you tell me more about how the "Immediate notifications for critical vulnerabilities" aspect to the automated workflows works?

How Critical Vulnerability Notifications Work

Vulnerability Detection Triggers

The system detects critical vulnerabilities through multiple pathways:

Daily Security Scans (security.yml):

schedule:
  - cron: '0 6 * * *'  # Runs every day at 6 AM UTC

Immediate Scanning on code changes:

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

Critical Threshold Detection

The workflow automatically fails when critical vulnerabilities are found:

# From the security workflow
npm audit --audit-level=info --json > current-vulnerabilities.json

# Count critical and high severity issues
critical_count=$(jq '.metadata.vulnerabilities.critical // 0' current-vulnerabilities.json)
high_count=$(jq '.metadata.vulnerabilities.high // 0' current-vulnerabilities.json)

# Immediate failure if thresholds exceeded
if [ "$critical_count" -gt 0 ] || [ "$high_count" -gt 5 ]; then
  echo "🚨 CRITICAL: $critical_count critical vulnerabilities detected!"
  echo "🚨 HIGH: $high_count high severity vulnerabilities detected!"
  exit 1  # This fails the entire workflow
fi

Automatic Notification Mechanisms

When critical vulnerabilities are detected, several notification mechanisms activate:

GitHub Actions Failure Notifications

• Workflow failure automatically triggers GitHub's built-in notification system
• Repository watchers receive immediate email notifications
• GitHub status badges turn red, alerting visitors

Issue Auto-Creation (in dependency management workflow):

- name: Create security issue
  if: failure()
  uses: actions/github-script@v7
  with:
    script: |
      github.rest.issues.create({
        owner: context.repo.owner,
        repo: context.repo.repo,
        title: '🚨 Critical Security Vulnerabilities Detected',
        body: `Critical vulnerabilities found in dependencies...`,
        labels: ['security', 'critical', 'dependencies']
      })

Team/Organization Notifications:

- name: Notify security team
  if: failure()
  run: |
    echo "🚨 SECURITY ALERT: Critical vulnerabilities detected"
    echo "Repository: ${{ github.repository }}"
    echo "Workflow: ${{ github.workflow }}"
    echo "Run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"

Government-Specific Alert Features

For government agencies, the workflow includes special alerting considerations:

Compliance Alert Levels:

# Different alert levels for government compliance
if [ "$critical_count" -gt 0 ]; then
  echo "🚨 LEVEL 1 ALERT: Immediate action required"
  echo "🏛️ Government agencies must address immediately"
  echo "📋 ATO (Authority to Operate) may be at risk"
elif [ "$high_count" -gt 3 ]; then
  echo "⚠️ LEVEL 2 ALERT: Review required within 24 hours"
fi

Security Review Requirements:

- name: Government security review required
  if: failure()
  run: |
    echo "🏛️ This failure requires government security team review"
    echo "📋 Update ATO documentation if vulnerabilities affect production"
    echo "🔒 Consider temporary service restrictions if critical"

Integration with External Systems

The workflows can be extended to integrate with government security systems:

Slack/Teams Integration (configurable):

- name: Notify via Slack
  if: failure()
  uses: 8398a7/action-slack@v3
  with:
    status: failure
    text: '🚨 Critical vulnerabilities detected in USAi API client'
  env:
    SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

Email Notifications (via GitHub Actions):

- name: Send email alert
  if: failure()
  uses: dawidd6/action-send-mail@v3
  with:
    server_address: smtp.agency.gov
    subject: '🚨 CRITICAL: Security vulnerabilities in USAi API'
    to: security-team@agency.gov

Immediate Response Workflow

When critical vulnerabilities are detected, the system:

• Immediately fails the workflow (within seconds of detection)
• Blocks any deployments (prevents vulnerable code from being released)
• Creates detailed reports with vulnerability information
• Generates remediation guidance specific to the detected issues
• Updates security dashboards and compliance tracking

Real-World TimelineFor a government agency using this system:

• 0-2 minutes: Vulnerability detected during daily 6 AM scan
• 2-3 minutes: Workflow fails, notifications triggered
• 3-5 minutes: Security team receives alerts via multiple channels
• 5-10 minutes: Detailed vulnerability report available
• Immediate: All deployments blocked until resolution

This ensures that critical security issues are detected and communicated to the appropriate government security personnel within minutes of discovery, enabling rapid response to protect sensitive government systems and data.