Add API for management of access to security alerts

[reedloden]

Requesting that an API be added for management of access to security alerts

See https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts

Right now, users/teams have to be manually added via that UI, and with dozens if not hundreds of repositories under an organization/enterprise, that is a real maintenance burden. Would be nice to be able to use an API to automate it.

Until there's an API available, the closest I have been able to find is a script somebody wrote that just abuses the standard web interface for this purpose: https://gist.github.com/captn3m0/8806a2b7943657c39cc42502560a0f9f.

[greysteil]

Hey @reedloden, thanks for the feedback.

We're planning to remove the "access to alerts" UI in the not-too-distant future (once its functionality has been fully replaced with fine grained permissions and custom roles), so we aren't planning to add an API for it. Unfortunately for now that puts us in an in-between place, which I appreciate is frustrating.

In addition to the script above, if you're a GitHub Enterprise customer you can use custom repository roles to achieve a similar result:

1. Create a custom repository role inheriting from write and add all of the permissions labelled with security to it. Call it "Write with security" or something like that
2. For each repo / user pair that you want to grant access to, use the add a repository collaborator API endpoint to update that user's permission level on the repository to be the new custom role
3. Alternatively you can add many users to a team (via the API) and then use the team API to add or update that team's permission level on the repository to be the new custom role

A couple of caveats:

• The above is (currently) only possible for GitHub Enterprise customers (on server you need to be on GHES 3.5+)
• Custom roles are only available at the organisation level. If you have many organisations you'll need to manually create the same role on each organisation via the UI, which I appreciate is no fun

We're keeping the "access to alerts" UI for now, because it works slightly differently to the above (it's composable with a user's role on a repo and is available to customers without an Enterprise account) but for Enterprise customers, ☝️ is the way forward.

Finally, if you who want members of a team to have access to security alerts on all repositories in an organisation, the security manager role is the way to go.

Apologies for the imperfect solution, and particularly that it's not available for all customers. I'm also cc-ing @hpsin who leads our wider work on identity, and will be the one who fully solves this in the future!

[glye]

The same goes for granting access to security advisories. I'd like to always give certain users or groups access to draft advisories for given repos.

[greysteil]

Makes sense, and that's exactly why we want to solve this with fine grained permissions and the wider GitHub identity and access management functionality.

Cc @KateCatlin @jhutchings1 - it looks like we don't currently have fine grained permissions for managing security advisories. Can you take a look?

[KateCatlin]

100%! This is a common issue that we're hearing about in user interviews, and we're looking into changing these permissions in the next few quarters.

@glye @reedloden would love to get you on the phone and chat through your user stories/use cases here. Would you be open to a 30-minute zoom? Happy to send you a gift card as a thank you: https://calendly.com/security-advisories-ux-calls/30min?month=2022-11

[glye]

@KateCatlin Sure! See you next week, then. Thanks for dealing with this.

[ranma2913]

Special Thanks for this.

I was able to create a new role from Triage and it gave the correct access to my group's Managers & Systems-Analyst. By choosing Triage we were able to maintain our separation of duties compliance keeping those with production access away from having Write permission to the codebase.

I chose:

• Role Name: triage-security-alerts
• Description: Triage access plus permission to view and manage code scanning, Dependabot, or secret scanning alerts.
• Inherit Triage
• Add all 'security' permissions

[ranma2913]

This minified json is hard to read and has no additional context. What are you talking a bout?

[vini-ppro]

We're planning to remove the "access to alerts" UI in the not-too-distant future

@greysteil - any news on that? It's almost 2025 :p

[greysteil]

Hey @vini-ppro, I'm afraid I'm no longer at GitHub, so I don't have any insight into this one. Hopefully one of the team will reply and let you know the plans for fine grained permissions / changes to the access to alerts UI.