Add org-level / enterprise-level dependabot alert list

[parroty]

Hi 👋 . This PR tries to add org-level / enterprise-level dependabot alert list (related to #26, but also added enterprise-level one).

Changes

• Export dependabot alerts when either of GITHUB_REPORT_SCOPE: "organization" or GITHUB_REPORT_SCOPE: "enterprise" is specified.
  • The following columns will be added compared with repository level alerts (tried to align with code scanning alerts)
    • repo_name
    • repo_owner
    • repo_owner_type
    • repo_owner_isadmin
    • repo_url
    • repo_isfork
    • repo_isprivate
• Apply same columns for organization / enterprise level alerts (as I couldn't find specific differences between organization / enterprice)
• Update README to change ❌ with ✅ for organization/enterprise level dependabot alerts.

References

• GitHub Blog - Dependabot alerts enterprise-level REST API
• GitHub Blog - Dependabot alerts organizational-level REST API

Tested Conditions

Workflows

Organization Level

name: Export Security Alerts (Organization)

on: workflow_dispatch
jobs:
  export:
    name: Export Code Scanning Alerts
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: read
    steps:
      - name: Export CSV
        uses: parroty/ghas-to-csv@add-org-dependabot
        env:
          GITHUB_PAT: ${{ secrets.PAT }}
          GITHUB_REPORT_SCOPE: "organization"
          SCOPE_NAME: "xxx"
      - name: Upload CSV
        uses: actions/upload-artifact@v3
        with:
          name: ghas-data
          path: ${{ github.workspace }}/*.csv
          if-no-files-found: error

Enterprise Level

name: Export Security Alerts (Enterprise)

on: workflow_dispatch
jobs:
  export:
    name: Export Code Scanning Alerts
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: read
    steps:
      - name: Export CSV
        uses: parroty/ghas-to-csv@add-org-dependabot
        env:
          GITHUB_PAT: ${{ secrets.PAT }}
          GITHUB_REPORT_SCOPE: "enterprise"
          SCOPE_NAME: "xxx"
      - name: Upload CSV
        uses: actions/upload-artifact@v3
        with:
          name: ghas-data
          path: ${{ github.workspace }}/*.csv
          if-no-files-found: error

Tested Conditions

• PAT (classic) with following scopes
  • repo:security_events
  • read:org
  • read:enterprise
• Condition with more than 100 alerts

Exerpts (from Enteprise-Level)

Actions Log

Run parroty/ghas-to-csv@add-org-dependabot

...

Found 20 secret scanning alerts in xxx enterprise
Found 3 code scanning alerts in xxx
Found 151 dependabot alerts in xxx

Command

$ ls
cs_list.csv         dependabot_list.csv secrets_list.csv

$ wc -l dependabot_list.csv
     152 dependabot_list.csv

$ head -3 dependabot_list.csv
number,state,created_at,updated_at,fixed_at,dismissed_at,dismissed_by,dismissed_reason,html_url,dependency_manifest,dependency_ecosystem,dependency_name,severity,ghsa_id,cve_id,cvss_score,repo_name,repo_owner,repo_owner_type,repo_owner_isadmin,repo_url,repo_isfork,repo_isprivate
36,open,2022-12-13T13:28:20Z,2022-12-13T13:28:20Z,none,none,none,none,https://github.com/xxx/sample-ghas-4/security/dependabot/36,yarn.lock,npm,qs,high,GHSA-hrpp-h998-j3pp,CVE-2022-24999,7.5,xxx/sample-ghas-4,xxx,Organization,False,https://github.com/xxx/sample-ghas-4,False,True
35,open,2022-12-13T13:28:20Z,2022-12-13T13:28:20Z,none,none,none,none,https://github.com/xxx/sample-ghas-4/security/dependabot/35,yarn.lock,npm,express,high,GHSA-hrpp-h998-j3pp,CVE-2022-24999,7.5,xxx/sample-ghas-4,xxx,Organization,False,https://github.com/xxx/sample-ghas-4,False,True

[some-natalie]

Thank you @parroty !!!