Add webhook event (security_advisory.created
?) for when GHSAs are created into triage or draft
#67871
Replies: 3 comments 3 replies
-
Hi @sethmlarson thanks for writing in! You are correct we have a webhook for a new private vulnerability report, but not a newly created draft security advisory. We'd love to get to this in the future but I want to be upfront that it's not on our near-term roadmap. However, I have a workaround for you! You could use our REST API to continually poll for the list of advisories within your org, filtered by the state parameter. Then create your own logic for if a new item appears on the list. I checked with our engineering team and there shouldn't be any performance concerns with doing this on our end. Hopefully that helps as a stand-in and apologies for the inconvenience! |
Beta Was this translation helpful? Give feedback.
-
Hey @sethmlarson! Circling back here to get a few more details about this feature request. Imagine we built the world for you and your use case. Would it be more useful to you to have this webhook fire when any advisory is opened, including private vulnerability reporting submissions which are covered under another webhook? Or only fire when an advisory is created through the "draft" process rather than the private reporting process? |
Beta Was this translation helpful? Give feedback.
-
Select Topic Area
Product Feedback
Body
As far as I can tell, there is currently no way to receive a webhook event for when a GitHub Security Advisory is created via the "draft" process. Using
repository_advisory.reported
doesn't work for GHSAs created via draft.This means there's no way to create a GitHub App that is guaranteed to "process" all security advisories before they are published which limits the amount of automation that can happen on GHSA within the draft state. In my case, I would like to add a default GitHub team to all advisories for a particular repository.
If there is a way to accomplish this today that I've missed, please let me know.
Beta Was this translation helpful? Give feedback.
All reactions