As mentioned in the below article
Security Alerts ( for members other than org or repo admins) can be enabled only for members with write access to the repo. I am wondering why is it designed that way and if there is any change planned to add members with "Read" access in the notification list. Members of the security team may need to receive these alerts, but don't necessarily need write access as they would not be contributing any code changes.
Thanks for taking the time to write this feedback, this is a great question and one that we are actually already investigating in an internal issue, and I've added your feedback to it. For now would it be possible for your organization to delegate Write permissions via teams (including to the security folks), and then using protected branches and a CODEOWNERS file with broad coverage to require review for any pull requests that touch files in the repository?
Mark helpful posts with Accept as Solution to help other users locate important info. Don't forget to give Kudos for great content!
Howdy, Andrea -
Are there updates you can share around timeline when pull-only users will be able to receive Security Alert Notifications? The read-only use case you outlined is exactly our desired state.
Alternatively/additionally, are there ways to configure these notifications to be emitted via a webhook to a shared notification destination like slack?
Specific support ideas that come to mind:
- Support for Github.com Enterprise Cloud Accounts "Hooks" Organization/Repos events "Open Security Advisories" to be emitted via webhooks to span multiple Organizations within Github.com Enterprise Cloud Account
- Support for Organization Insights Dependencies "Open Security Advisories" to be emitted via webhooks