Add TLS certificate bundle support to all Python scripts

- Fix bug in list_secret_scanning_alerts.py (undefined variable)
- Add --ca-cert-bundle and --no-verify-tls options to all scripts
- Update GitHub class instantiation to pass verify parameter
- Update all helper functions to accept and propagate verify parameter
- Update test to include new arguments

Co-authored-by: aegilops <41705651+aegilops@users.noreply.github.com>

Author: Copilot

close_code_scanning_alerts.py

@@ -91,6 +91,25 @@ def add_args(parser: argparse.ArgumentParser) -> None:
         action="store_true",
         help="Print the alerts that would be closed, but don't actually close them.",
     )
+    parser.add_argument(
+        "--hostname",
+        type=str,
+        default="github.com",
+        required=False,
+        help="GitHub Enterprise hostname (defaults to github.com)",
+    )
+    parser.add_argument(
+        "--ca-cert-bundle",
+        "-C",
+        type=str,
+        required=False,
+        help="Path to CA certificate bundle in PEM format (e.g. for self-signed server certificates)"
+    )
+    parser.add_argument(
+        "--no-verify-tls",
+        action="store_true",
+        help="Do not verify TLS connection certificates (warning: insecure)"
+    )
     parser.add_argument(
         "-d",
         "--debug",
@@ -108,7 +127,18 @@ def main() -> None:
 
     logging.basicConfig(level=logging.INFO if not args.debug else logging.DEBUG)
 
-    github = GitHub()
+    verify = True
+    if args.ca_cert_bundle:
+        verify = args.ca_cert_bundle
+
+    if args.no_verify_tls:
+        verify = False
+        LOG = logging.getLogger(__name__)
+        LOG.warning("Disabling TLS verification. This is insecure and should not be used in production")
+        import urllib3
+        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+    github = GitHub(hostname=args.hostname, verify=verify)
 
     try:
         owner, repo = args.repo_name.split("/")

list_code_scanning_alerts.py

@@ -124,8 +124,8 @@ def output_csv(results: list[dict], quote_all: bool) -> None:
         writer.writerow(to_list(result))
 
 
-def list_code_scanning_alerts(name: str, scope: str, hostname: str, state: str|None=None, since: datetime.datetime|None=None, raw: bool=False) -> Generator[dict, None, None]:
-    g = GitHub(hostname=hostname)
+def list_code_scanning_alerts(name: str, scope: str, hostname: str, state: str|None=None, since: datetime.datetime|None=None, raw: bool=False, verify: bool | str = True) -> Generator[dict, None, None]:
+    g = GitHub(hostname=hostname, verify=verify)
     alerts = g.list_code_scanning_alerts(name, state=state, since=since, scope=scope)
     if raw:
         return alerts
@@ -178,6 +178,18 @@ def add_args(parser: argparse.ArgumentParser) -> None:
         required=False,
         help="GitHub Enterprise hostname (defaults to github.com)",
     )
+    parser.add_argument(
+        "--ca-cert-bundle",
+        "-C",
+        type=str,
+        required=False,
+        help="Path to CA certificate bundle in PEM format (e.g. for self-signed server certificates)"
+    )
+    parser.add_argument(
+        "--no-verify-tls",
+        action="store_true",
+        help="Do not verify TLS connection certificates (warning: insecure)"
+    )
     parser.add_argument(
         "--debug", "-d", action="store_true", help="Enable debug logging"
     )
@@ -202,11 +214,21 @@ def main() -> None:
     name = args.name
     state = args.state
     hostname = args.hostname
+    verify = True
+
+    if args.ca_cert_bundle:
+        verify = args.ca_cert_bundle
+
+    if args.no_verify_tls:
+        verify = False
+        LOG.warning("Disabling TLS verification. This is insecure and should not be used in production")
+        import urllib3
+        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
     if not GitHub.check_name(name, scope):
         raise ValueError("Invalid name: %s for %s", name, scope)
 
-    results = list_code_scanning_alerts(name, scope, hostname, state=state, since=since, raw=args.raw)
+    results = list_code_scanning_alerts(name, scope, hostname, state=state, since=since, raw=args.raw, verify=verify)
 
     if args.json:
         print(json.dumps(list(results), indent=2))

list_secret_scanning_alerts.py

@@ -375,7 +375,7 @@ def main() -> None:
     verify = True
 
     if args.ca_cert_bundle:
-        verify = ca_cert_bundle
+        verify = args.ca_cert_bundle
 
     if args.no_verify_tls:
         verify = False

replay_code_scanning_alert_status.py

@@ -50,9 +50,9 @@ def existing_results_by_location(reader: csv.DictReader) -> dict:
     return existing_results
 
 
-def change_state(hostname, result: dict, res: dict) -> None:
+def change_state(hostname, result: dict, res: dict, verify: bool | str = True) -> None:
     """Change the state of the alert to match the existing result using the GitHub API to update the alert."""
-    g = GitHub(hostname=hostname)
+    g = GitHub(hostname=hostname, verify=verify)
 
     repo_name = result["repo"]
 
@@ -77,7 +77,7 @@ def change_state(hostname, result: dict, res: dict) -> None:
     return
 
 
-def update_states(hostname: str, results: Iterable[dict], existing_results: dict) -> None:
+def update_states(hostname: str, results: Iterable[dict], existing_results: dict, verify: bool | str = True) -> None:
     """Update the state of matching alerts to match the existing results."""
     for result in results:
         repo = result["repo"]
@@ -101,7 +101,7 @@ def update_states(hostname: str, results: Iterable[dict], existing_results: dict
         if res["state"] != result["state"]:
             LOG.warning(f"State mismatch: {res['state']} != {result['state']}")
 
-            change_state(hostname, result, res)
+            change_state(hostname, result, res, verify=verify)
 
 
 def add_args(parser: argparse.ArgumentParser) -> None:
@@ -145,6 +145,18 @@ def add_args(parser: argparse.ArgumentParser) -> None:
         required=False,
         help="GitHub Enterprise hostname (defaults to github.com)",
     )
+    parser.add_argument(
+        "--ca-cert-bundle",
+        "-C",
+        type=str,
+        required=False,
+        help="Path to CA certificate bundle in PEM format (e.g. for self-signed server certificates)"
+    )
+    parser.add_argument(
+        "--no-verify-tls",
+        action="store_true",
+        help="Do not verify TLS connection certificates (warning: insecure)"
+    )
     parser.add_argument(
         "--debug", "-d", action="store_true", help="Enable debug logging"
     )
@@ -166,6 +178,16 @@ def main() -> None:
     name = args.name
     state = args.state
     hostname = args.hostname
+    verify = True
+
+    if args.ca_cert_bundle:
+        verify = args.ca_cert_bundle
+
+    if args.no_verify_tls:
+        verify = False
+        LOG.warning("Disabling TLS verification. This is insecure and should not be used in production")
+        import urllib3
+        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
     if not GitHub.check_name(args.name, scope):
         raise ValueError("Invalid name: %s for %s", args.name, scope)
@@ -179,9 +201,9 @@ def main() -> None:
 
     LOG.debug(existing_results)
 
-    results = list_code_scanning_alerts(name, scope, hostname, state=state, since=since)
+    results = list_code_scanning_alerts(name, scope, hostname, state=state, since=since, verify=verify)
 
-    update_states(hostname, results, existing_results)
+    update_states(hostname, results, existing_results, verify=verify)
 
 
 if __name__ == "__main__":

replay_secret_scanning_result_status.py

@@ -44,9 +44,9 @@ def existing_results_by_secret(reader: csv.DictReader) -> dict:
     return existing_results
 
 
-def change_state(hostname, result: dict, res: dict) -> None:
+def change_state(hostname, result: dict, res: dict, verify: bool | str = True) -> None:
     """Change the state of the alert to match the existing result using the GitHub API to update the alert."""
-    g = GitHub(hostname=hostname)
+    g = GitHub(hostname=hostname, verify=verify)
 
     repo_name = result["repo"]
 
@@ -112,6 +112,18 @@ def add_args(parser: argparse.ArgumentParser) -> None:
         required=False,
         help="GitHub Enterprise hostname (defaults to github.com)",
     )
+    parser.add_argument(
+        "--ca-cert-bundle",
+        "-C",
+        type=str,
+        required=False,
+        help="Path to CA certificate bundle in PEM format (e.g. for self-signed server certificates)"
+    )
+    parser.add_argument(
+        "--no-verify-tls",
+        action="store_true",
+        help="Do not verify TLS connection certificates (warning: insecure)"
+    )
     parser.add_argument(
         "--debug", "-d", action="store_true", help="Enable debug logging"
     )
@@ -133,6 +145,16 @@ def main() -> None:
     name = args.name
     state = args.state
     hostname = args.hostname
+    verify = True
+
+    if args.ca_cert_bundle:
+        verify = args.ca_cert_bundle
+
+    if args.no_verify_tls:
+        verify = False
+        LOG.warning("Disabling TLS verification. This is insecure and should not be used in production")
+        import urllib3
+        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
     if not GitHub.check_name(args.name, scope):
         raise ValueError("Invalid name: %s for %s", args.name, scope)
@@ -146,7 +168,7 @@ def main() -> None:
 
     LOG.debug(existing_results)
 
-    results = list_secret_scanning_alerts(name, scope, hostname, state=state, since=since)
+    results = list_secret_scanning_alerts(name, scope, hostname, state=state, since=since, verify=verify)
 
     for result in results:
         repo = result["repo"]
@@ -165,7 +187,7 @@ def main() -> None:
             LOG.warning(f"State mismatch: {res['state']} != {result['state']}")
 
             if result["state"] != "pattern_edited":
-                change_state(hostname, result, res)
+                change_state(hostname, result, res, verify=verify)
 
 
 if __name__ == "__main__":

resolve_duplicate_secret_scanning_alerts.py

@@ -51,9 +51,9 @@ def index_results_by_secret(results: Iterable[dict]) -> dict:
     return indexed_results
 
 
-def change_state(hostname, old_result: dict, new_result: dict) -> None:
+def change_state(hostname, old_result: dict, new_result: dict, verify: bool | str = True) -> None:
     """Change the state of the alert to match the existing result using the GitHub API to update the alert."""
-    g = GitHub(hostname=hostname)
+    g = GitHub(hostname=hostname, verify=verify)
 
     repo_name = new_result["repo"]
 
@@ -83,7 +83,7 @@ def change_state(hostname, old_result: dict, new_result: dict) -> None:
 
 
 def resolve_duplicates(
-    indexed_results: dict, matching_secrets_lookup: dict, hostname: str
+    indexed_results: dict, matching_secrets_lookup: dict, hostname: str, verify: bool | str = True
 ) -> None:
     """Resolve duplicates by matching on a new secret type and updating the state of the alert to match the existing result."""
     for repo, repo_results in indexed_results.items():
@@ -107,7 +107,7 @@ def resolve_duplicates(
                     LOG.info(f"State mismatch, updating state: {new_result['state']} != {old_result['state']}")
 
                     if old_result["state"] != "pattern_edited":
-                        change_state(hostname, old_result, new_result)
+                        change_state(hostname, old_result, new_result, verify=verify)
 
 
 def add_args(parser: argparse.ArgumentParser) -> None:
@@ -145,6 +145,18 @@ def add_args(parser: argparse.ArgumentParser) -> None:
         required=False,
         help="GitHub Enterprise hostname (defaults to github.com)",
     )
+    parser.add_argument(
+        "--ca-cert-bundle",
+        "-C",
+        type=str,
+        required=False,
+        help="Path to CA certificate bundle in PEM format (e.g. for self-signed server certificates)"
+    )
+    parser.add_argument(
+        "--no-verify-tls",
+        action="store_true",
+        help="Do not verify TLS connection certificates (warning: insecure)"
+    )
     parser.add_argument(
         "--debug", "-d", action="store_true", help="Enable debug logging"
     )
@@ -174,6 +186,16 @@ def main() -> None:
     name = args.name
     state = args.state
     hostname = args.hostname
+    verify = True
+
+    if args.ca_cert_bundle:
+        verify = args.ca_cert_bundle
+
+    if args.no_verify_tls:
+        verify = False
+        LOG.warning("Disabling TLS verification. This is insecure and should not be used in production")
+        import urllib3
+        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
     if not GitHub.check_name(args.name, scope):
         raise ValueError("Invalid name: %s for %s", args.name, scope)
@@ -187,15 +209,15 @@ def main() -> None:
     matching_secrets_lookup = {k: v for k, v in matching_secrets}
 
     # find secret scanning alerts
-    results = list_secret_scanning_alerts(name, scope, hostname, state=state, since=since, include_secret=True)
+    results = list_secret_scanning_alerts(name, scope, hostname, state=state, since=since, include_secret=True, verify=verify)
     if not results:
         LOG.info("No secret scanning alerts found")
         return
 
     # index results by secret and type for easy lookup
     indexed_results = index_results_by_secret(results)
 
-    resolve_duplicates(indexed_results, matching_secrets_lookup, hostname)
+    resolve_duplicates(indexed_results, matching_secrets_lookup, hostname, verify=verify)
 
 
 if __name__ == "__main__":

test_resolve_duplicate_secret_scanning_alerts.py

@@ -19,7 +19,9 @@ def mock_args():
             since="2024-10-08",
             hostname="github.com",
             debug=True,
-            add_matching_secret=[("old_type", "new_type")]
+            add_matching_secret=[("old_type", "new_type")],
+            ca_cert_bundle=None,
+            no_verify_tls=False
         )
         yield mock_parse_args