Are security vulnerabilities available via API?

I realize that security vulnerability alerts can be sent via email notifications and web notifications. But I’d like to be notified in Slack instead.

(A natural way to do this would be via a webhook, but so far there is no mention of a webhook for security alerts.)

To this end, if I have chosen to receive security alerts as web notifications, can I access them via the Notifications API? I realize I’d have to filter them out of the stream of all notifications, but my question is whether they will be present in that stream at all.

6 Likes

Hi @kyptin,

Thanks for posting about this! We’re always working to improve GitHub and the GitHub Community Forum, and we consider every suggestion we receive. Unfortunately, this isn’t currently possible, but I’ve logged your feedback in our internal feature request list. Though I can’t guarantee anything or share a timeline for this, I can tell you that it’s been shared with the appropriate teams for consideration.

Cheers!

6 Likes

Thanks, @nadiajoyce. If I’m making a feature request, it would be for a webhook, as I think that would be the most convenient. But it’s useful to know that this isn’t yet possible. Thanks again!

3 Likes

New API for them: https://developer.github.com/changes/2018-04-24-preview-dependency-graph-and-vulnerability-hooks/

7 Likes

I wondered about the same thing. Not sure if this was added at a point later on time, but in the Notifications API, there’s a _reason_ named security_alert.

https://developer.github.com/v3/activity/notifications/#notification-reasons

Having this API is great. Would it be possible to have a scope for this API? I want to add this to our CI system, but I want the token to be only used for accessing the security alerts

Security alert web hooks should be accessible via the repository_vulnerability_alert payload: https://developer.github.com/webhooks/event-payloads/#repository_vulnerability_alert