scitex_security.github

GitHub Security Alerts Module

Fetches and processes security alerts from GitHub.

Collaborator injection

Per the SciTeX no-mocks rule (PA-306), the production callables that talk to external collaborators (the subprocess module, and the in-module _run_gh_command/check_gh_auth/get_*_alerts helpers) accept keyword-only overrides defaulting to the real module globals. Tests pass real hand-rolled fakes; production code does not pass anything.

Functions

check_gh_auth(*[, run])

Check if GitHub CLI is authenticated.

check_github_alerts([repo, auth_check, ...])

Check all GitHub security alerts.

format_alerts_report(alerts)

Format alerts into a readable text report.

get_code_scanning_alerts([repo, gh_runner])

Get code scanning alerts.

get_dependabot_alerts([repo, gh_runner])

Get Dependabot vulnerability alerts.

get_latest_alerts_file([security_dir])

Get path to the latest security alerts file.

get_secret_alerts([repo, gh_runner])

Get secret scanning alerts.

save_alerts_to_file(alerts[, output_dir, ...])

Save alerts to a timestamped file.

Exceptions

GitHubSecurityError

Raised when GitHub security operations fail.
exception scitex_security.github.GitHubSecurityError[source]

Raised when GitHub security operations fail.

scitex_security.github.check_gh_auth(*, run=None)[source]

Check if GitHub CLI is authenticated.

Parameters:

run (Optional[Callable]) – subprocess.run-shaped callable. Defaults to the real subprocess.run. Override in tests.

Return type:

bool

scitex_security.github.get_secret_alerts(repo=None, *, gh_runner=None)[source]

Get secret scanning alerts.

Parameters:

  • repo (Optional[str]) – Repository in format ‘owner/repo’. If None, uses current repo.

  • gh_runner (Optional[Callable[[List[str]], str]]) – _run_gh_command-shaped callable. Defaults to _run_gh_command(). Override in tests.

Return type:

List[Dict]

Returns:

List of secret scanning alerts

scitex_security.github.get_dependabot_alerts(repo=None, *, gh_runner=None)[source]

Get Dependabot vulnerability alerts.

Parameters:

  • repo (Optional[str]) – Repository in format ‘owner/repo’. If None, uses current repo.

  • gh_runner (Optional[Callable[[List[str]], str]]) – _run_gh_command-shaped callable. Defaults to _run_gh_command(). Override in tests.

Return type:

List[Dict]

Returns:

List of Dependabot alerts

scitex_security.github.get_code_scanning_alerts(repo=None, *, gh_runner=None)[source]

Get code scanning alerts.

Parameters:

  • repo (Optional[str]) – Repository in format ‘owner/repo’. If None, uses current repo.

  • gh_runner (Optional[Callable[[List[str]], str]]) – _run_gh_command-shaped callable. Defaults to _run_gh_command(). Override in tests.

Return type:

List[Dict]

Returns:

List of code scanning alerts

scitex_security.github.check_github_alerts(repo=None, *, auth_check=None, secrets_fn=None, dependabot_fn=None, code_scanning_fn=None)[source]

Check all GitHub security alerts.

Parameters:

  • repo (Optional[str]) – Repository in format ‘owner/repo’. If None, uses current repo.

  • auth_check (Optional[Callable[[], bool]]) – check_gh_auth-shaped callable. Override in tests.

  • secrets_fn (Optional[Callable]) – get_secret_alerts-shaped callable. Override in tests.

  • dependabot_fn (Optional[Callable]) – get_dependabot_alerts-shaped callable. Override in tests.

  • code_scanning_fn (Optional[Callable]) – get_code_scanning_alerts-shaped callable. Override in tests.

Returns:

‘secrets’, ‘dependabot’, ‘code_scanning’

Return type:

Dictionary with keys

Raises:

GitHubSecurityError – If GitHub CLI is not installed or not authenticated

scitex_security.github.format_alerts_report(alerts)[source]

Format alerts into a readable text report.

Parameters:

alerts (Dict[str, List[Dict]]) – Dictionary of alerts from check_github_alerts()

Return type:

str

Returns:

Formatted text report

scitex_security.github.save_alerts_to_file(alerts, output_dir=None, create_symlink=True)[source]

Save alerts to a timestamped file.

Parameters:

  • alerts (Dict[str, List[Dict]]) – Dictionary of alerts from check_github_alerts()

  • output_dir (Optional[Path]) – Directory to save file. Defaults to ./logs/security

  • create_symlink (bool) – If True, create ‘security-latest.txt’ symlink

Return type:

Path

Returns:

Path to saved file

scitex_security.github.get_latest_alerts_file(security_dir=None)[source]

Get path to the latest security alerts file.

Parameters:

security_dir (Optional[Path]) – Directory containing security files. Defaults to ./logs/security

Return type:

Optional[Path]

Returns:

Path to latest file, or None if not found