Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copilot Lvl 3
Message 1 of 5

GraphQL API v4 - Accessing RepositoryVulnerabilityAlert

Solved! Go to Solution.

So I'm trying to access the GraphQL API v4 as such:

import os
import requests
import json

url = 'https://api.github.com/graphql'
query = """
  query someFunction($repository_name: String!){
    repositoryVulnerabilityAlert {
      repository(name: $repository_name) {
        name
      }

    }
  }
"""
variables = """ { "repository_name":"my_repo" } """
api_token = os.environ['bearer_token'] payload = {'Accept': 'application/vnd.github.vixen-preview+json'} headers = {'Authorization': 'bearer %s' % api_token, 'Accept': 'application/vnd.github.vixen-preview+json'} r = requests.post(url=url, json={'query': query, 'variables': variables}, data=json.dumps(payload), headers=headers) print (r.text)
 
And I keep receiving:
{"errors":[{"message":"A query attribute must be specified and must be a string."}]}
 
What am I doing wrong?
4 Replies
Solution
GitHub Staff
Message 2 of 5

Re: GraphQL API v4 - Accessing RepositoryVulnerabilityAlert

Hey @sgript!

 

I see a few mistakes in your script, both in the GraphQL query you're running, as well as in how you're running it. 

 

The GraphQL Query that you want in order to list repository vulnerability alerts off of a single repo should look something like this:

 

query repoVulns($owner:String!, $name:String!){
  repository(owner:$owner, name:$name) {
    vulnerabilityAlerts(first:10) {
      nodes {
        id
      }
    }
  }
}

In addition, it looks like you're passing the wrong data in with `data=json.dumps(payload)`, which seems to be a variable that only has some headers in it. I went ahead and made the changes, and I think this shoud work:

 

import os
import requests
import json

url = 'https://api.github.com/graphql'
query = """
query repoVulns($owner:String!, $name:String!){
  repository(owner:$owner, name:$name) {
    vulnerabilityAlerts(first:10) {
      nodes {
        id
      }
    }
  }
}

"""
variables = """
{"owner": "owner", "name": "name"}
"""
api_token = os.environ['bearer_token']
headers = {'Authorization': 'Bearer %s' % api_token, 'Accept': 'application/vnd.github.vixen-preview+json'}

r = requests.post(url=url, json={'query': query, 'variables': variables}, headers=headers)

print (r.text)

You'll have to change the owner and the name to the Repository owner and name that you're trying to look up, but I think this should work!

 

Let me know!

 

Copilot Lvl 3
Message 3 of 5

Re: GraphQL API v4 - Accessing RepositoryVulnerabilityAlert

Hi @nickvanw !

 

Thanks for your prompt response, I appreciate it.

 

I've used the code suggested and added in the variables assigned to `owner` and `name` for the repository. Although I'm receiving an actual data response now, I receive an empty node, as such:

 

`{"data":{"repository":{"vulnerabilityAlerts":{"nodes":[]}}}}`

 

It's worth stating that the repository I'm trying to target is apart of a team and hence I've passed the team's name as the value assigned to the `owner` variable, being that the url of our repo reads github.com/theTeam/theRepo

 

And I've simply assigned `theTeam` to `owner` and `theRepo` to `name`.

 

We've checked and we definitely have vulnerability alerts listed. Any ideas as to why it may be returning blank would be very welcome!

Copilot Lvl 3
Message 4 of 5

Re: GraphQL API v4 - Accessing RepositoryVulnerabilityAlert

An update on this @nickvanw 

 

It seems to have been a permissions issue - in order to run this particular call, I needed to be listed as the owner of the repository. After having a colleague try to run the script (who happened to be the owner of the repository), with their bearer token, some results were returned.

 

Thank you for your help!

Ground Controller Lvl 1
Message 5 of 5

Re: GraphQL API v4 - Accessing RepositoryVulnerabilityAlert

This is a helpful thread, but I'm wondering how to use the id returned. The suggested code returns a list of nodes with base64 enconded ids like this:

 

{"data":{"repository":{"vulnerabilityAlerts":

{"edges":[

{"node":{"id":"<redacted base64 string here>"}},

{"node":{"id":"<redacted base64 string here>"}},

{"node":{"id":"<redacted base64 string here>"}}

]}

}}}

 

How can I use that to get the information from the alert such as the severity, desciption, summary, and other fields listed https://developer.github.com/v4/object/securityadvisory/#connections? I'm new to graphQL so thanks for bearing with!