Dealing with GitHub security alerts
Open, Needs TriagePublic

Description

It seems GitHub are making "security alerts" on repos more visible to those with rights... https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/

These relate to Ruby gems, java, NPM packages

Manually copy pasting the announce to phabricator security tasks does not scale, we should look at some way of processing/dealing with these. We would need a system that is more reliable. Maybe by having github to send an email handled by Phabricator which would then create the tasks for us?

Reedy created this task.Nov 18 2017, 2:38 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 18 2017, 2:38 PM
Tgr added a subscriber: Tgr.Nov 18 2017, 9:59 PM
Reedy updated the task description. (Show Details)Nov 18 2017, 10:51 PM
Reedy added a comment.Nov 25 2017, 3:56 PM

https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/

You can choose to receive security alerts by email, in your web notifications, or in the GitHub user interface. The security alerts list the affected dependency and, in some cases, use machine learning to suggest a fix from the GitHub community.

Reedy added a comment.Nov 25 2017, 3:57 PM

Emailed for clarification...

Reedy added a comment.Nov 25 2017, 4:44 PM

https://help.github.com/articles/managing-alerts-for-vulnerable-dependencies-in-your-organization-s-repositories/

Organization owners and repository admins receive security alerts when GitHub detects a vulnerable dependency in an organization repository. You can specify additional organization members or teams to also receive security alerts for vulnerable dependencies.

This doesn't seem to be the case...

hashar updated the task description. (Show Details)Oct 19 2018, 8:54 PM

When it comes to creating [non-public] tasks per email, T87611 comes to my mind...

When it comes to creating [non-public] tasks per email, T87611 comes to my mind...

From memory, when I suggested emailbot for something else it was apparently a bit hacky and not recommended for expanding its use, Although i'm not sure if trying something with like a custom Maniphest Application email, a private space and a herald would be classed as any less hacky.