Feature Request: Allow users who are not repo members to be added to Vulnerability Alerts

I am part of the security function within my organisation and thus would like to receive and consolidate known vulnerabilities across our repos. My colleagues and I tried following your instructions at https://help.github.com/en/articles/managing-alerts-for-vulnerable-dependencies-in-your-organizations-repositories, however we found that it was not possible to add me to the list of people who should receive vulnerability alerts for a repo unless I was both: a) a member of that repo, and b) have at least ‘write’ permission to the repo.

It goes without saying that I don’t necessarily want members of the security team having access to all repos, and certainly not write access (principle of least privilege and all), and yet should be able to be added to the list of users who receive the vulnerability alerts so that we can triage, mitigate, etc.

Would it be possible to add non-repo members (but organisation members) to the list of users who can receive the alerts? Naturally this would still be done by the repo owner(s).

Many thanks!

1 Like

Hi @securitygeneration,

Thanks for this feedback! We’re always working to improve GitHub and the GitHub Community Forum, and we consider every suggestion we receive. I’ve logged your feature request in our internal feature request list. Though I can’t guarantee anything or share a timeline for this, I can tell you that it’s been shared with the appropriate teams for consideration.


1 Like