Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Copilot Lvl 3
Message 1 of 3

Enable Vulnerability Alerts to users with read access

Hi,

     As mentioned in the below article

 

https://help.github.com/en/articles/managing-alerts-for-vulnerable-dependencies-in-your-organization...

 

Security Alerts ( for members other than org or repo admins) can be enabled only for members with write access to the repo. I am wondering why is it designed that way and if there is any change planned to add members with "Read" access in the notification list. Members of the security team may need to receive these alerts, but don't necessarily need write access as they would not be contributing any code changes.

2 Replies
Community Manager
Message 2 of 3

Re: Enable Vulnerability Alerts to users with read access

Thanks for taking the time to write this feedback, this is a great question and one that we are actually already investigating in an internal issue, and I've added your feedback to it. For now would it be possible for your organization to delegate Write permissions via teams (including to the security folks), and then using protected branches and a CODEOWNERS file with broad coverage to require review for any pull requests that touch files in the repository?


Best,
AndreaG

Mark helpful posts with Accept as Solution to help other users locate important info. Don't forget to give Kudos for great content!

Copilot Lvl 3
Message 3 of 3

Re: Enable Vulnerability Alerts to users with read access

Howdy, Andrea - 

Are there updates you can share around timeline when pull-only users will be able to receive Security Alert Notifications? The read-only use case you outlined is exactly our desired state.


Alternatively/additionally, are there ways to configure these notifications to be emitted via a webhook to a shared notification destination like slack?

Specific support ideas that come to mind:
- Support for Github.com Enterprise Cloud Accounts "Hooks" Organization/Repos events "Open Security Advisories" to be emitted via webhooks to span multiple Organizations within Github.com Enterprise Cloud Account
- Support for Organization Insights Dependencies "Open Security Advisories" to be emitted via webhooks 

Cheers, 
CJ