slack icon indicating copy to clipboard operation
slack copied to clipboard

Published 20 hours ago verified publisher icon integrations

Document Way To Subscribe To Security Alerts

Open alexfinnarn opened this issue 3 years ago • 4 comments

Is your feature request related to a problem? Please describe.

My team uses Slack to get alerts from various places. I like the security features of GitHub for separating dependency updates into regular and security updates, but I'm not sure how to only subscribe to security issues.

I realize permissions come into play here, but if the authorized user has access to security alerts then I think it's their own fault if they open up notifications to people who are not supposed to see them.

Describe the solution you'd like

/github subscribe org/repo security-alerts

Describe alternatives you've considered

I think I can use a bot to add a "security" label and then subscribe to that label, but I'm not sure how I'd accomplish that yet and it seems like a lot of work when I imagine many people would like this feature.

Additional context

You may already be able to do this with the tool, but I can't find it in the configuration section. So at least some documentation should be added to let people know how to do this.

alexfinnarn avatar Jun 04 '21 16:06 alexfinnarn

@alexfinnarn subscribing to security alerts is not a feature that the GitHub slack app offers. You can subscribe to pulls and get notifications for automatic PRs created by tools like dependabot to mitigate security alerts. Also consider using proper labels for more filtering.

apurva1112 avatar Jun 10 '21 11:06 apurva1112

Thanks for the reply. We already get the Dependabot PR notices and have a label placed on them, but I think we'd have to build a bot to check and see if the update was a security release and then put a label on that which would trigger the Slack notification.

So, I can think of a workaround, but since GitHub does know which items are security releases, I'm wondering if this can be a feature added or not.

I think many people would find filtering by type of Dependabot update useful, but if it's not on the roadmap or can't be added to a backlog, then you can close the issue.

alexfinnarn avatar Jun 10 '21 14:06 alexfinnarn

👍🏻 This is a feature I'd like as well!

getsec avatar Nov 16 '21 01:11 getsec

@apurva1112 Just checking on this one as it came up in a discussion, and the issue is still open. Is there any progress on this issue?

If the "proper labels for more filtering" is the answer, it might be nice to add a bit of documentation and/or link to some docs from this issue. Then, close the issue.

But if there is now a command for this feature, I can help test it out.

alexfinnarn avatar Jun 20 '22 13:06 alexfinnarn