Connector Improvement: Connector Improvement: Github Vulnerability Alerts - Support
Planned
The current GitHub connector does not sync VulnerabilityAlerts, it would be very helpful to have those synced in order to monitor vulnerabilities and keep track of them.
See also GitHub API:
https://docs.github.com/en/graphql/reference/objects#repositoryvulnerabilityalert
-
Official comment
Hi Thomas -
Thanks for submitting this feature request. Currently the GitHub REST API (which is what we use for our connector) doesn't have an endpoint for Vulnerability Alerts. The documentation you provided is for their GraphQL API.
We will need to look into the GraphQL documentation further to understand how we can integrate these in the same connector. In the meantime, I will add this to our backlog and continue to track requests and demand for Vulnerability Alerts.
Best,
Erin
-
Hi Erin, thank's for the feedback!
Indeed it is only available in the GraphQL API. In general GitHub switched to exposing newer things mostly via GraphQL and not via REST API.
Best,
Thomas
-
I came here looking for support for the security advisories, which is available via the REST API https://docs.github.com/en/rest/security-advisories/repository-advisories?apiVersion=2022-11-28. This would be great for helping us monitor and report on the state of our repository compliance with security fixes.
-
Hi All - We have taken up this feature request in the upcoming sprint.
Stay tuned for more details.
Thanks,
Erin -
Hi Erin,
Thanks for the update. Does it maybe already have a timeline for this feature and the second question would be will all security vulnerabilities will be included in the feature request or just Repository Alerts?
Thanks,
Dragan
-
Hi Dragan - I can't provide a timeline as of yet.
Today, GitHub's REST API only supports Security Alerts at the repo level. https://docs.github.com/en/rest/security-advisories/repository-advisories?apiVersion=2022-11-28.
Are there Alerts at a different granularity that you are looking for? If so, do you mind sharing details?
Thanks,
Erin
-
Hi Erin,
I might be wrong but these Security Risk is on all repositories across one organisation
I was interested will this be part of the implementation or actually the repo level is just doing this granularly and this is just sorted in UI to have one nice overview
Regarding timeline I was more interested is it for instance planned for Q3, maybe Q4 or it's on the roadmap for next year.
Thanks,
Dragan
-
Hi Erin,
as a small update, if this is not the case we need, I guess these 3 calls would resolve it:
- https://docs.github.com/en/rest/dependabot/alerts?apiVersion=2022-11-28#list-dependabot-alerts-for-an-organization
- https://docs.github.com/en/rest/code-scanning?apiVersion=2022-11-28#list-code-scanning-alerts-for-an-organization
- https://docs.github.com/en/rest/secret-scanning?apiVersion=2022-11-28#list-secret-scanning-alerts-for-an-organization
Do you know if these will be part of the feature request?
Dragan
Please sign in to leave a comment.
Comments
8 comments