[Bug] API V4(GraphQL): vulnerabilityAlerts results differ in v4 API vs web interface

Hello!

I’ve been searching for answers for a while now, and the most I’ve come up with is that others have had trouble getting to see how to query for SecurityVulnerability alerts across all repos for an org.

I’ve constructed this GraphQL query:

variables {
"orgname": "INSERT_ORG_NAME_HERE",
"cursor": null
}

query OrgRepoVulnerabilityAlerts($orgname: String!, $cursor: String) {
  organization(login: $orgname) {
    repositories(first: 100, after: $cursor) {
      pageInfo {
        hasNextPage
        endCursor
      }
      nodes {
        name
        isArchived
        vulnerabilityAlerts(first: 100) {
          nodes {
            vulnerableRequirements
            securityVulnerability {
              severity
              package {
                ecosystem
                name
              }
              updatedAt
              vulnerableVersionRange
            }
          }
        }
      }
    }
  }
}

I’ve also added the Accept: application/vnd.github.vixen-preview+json header to my POST call.

The problem I’m seeing is that most responses will return this kind of response in the nodes section:

{
    "name": "repo-name",
    "isArchived": false,
    "vulnerabilityAlerts": {
        "nodes": []
    }
}

When I visit the same repo in the web interface, I can see some repos with over 60 open alerts.

Some of the repsonses in the nodes section do indeed contain results, and I’ve verified them against the web interface, so I know it’s working, just not completely as expected.

Am I constructing the query incorrectly, or do I need some other permission, or some other subtle problem?

After thinking about this some more, I went back and checked the scopes allowed on the Personal Access Token (PAT) I was using for these queries, and tried checking the repo scope - that solved the issue, and now I can see the vulnerability alerts for repos - yay!

What I don’t understand is how if we need the full repo scope, why were some alerts visibile without it - with only public_repo for alerts that are not public.