Re-Opening Security Alerts with Comments

[hiEntropy]

Select Topic Area

Product Feedback

Body

GHAS has been a great addition to our organization. Currently our efforts are focussed on automating vulnerability management tasks using GitHub webhooks.

Sometimes developers close alerts in ways that are not compliant with our vulnerability management process. To address this issue, we would like to re-open security alerts with a comment telling the developer why the ticket was re-opened and how to fix it. Currently, the API and UI do not support reopening a security alert with a comment. At the present time, the only way to achieve this is to:

1. re-open the closed ticket
2. then close the ticket with a comment
3. finally re-open the ticket

This is not very straightforward and is confusing to the intended audience.

Another avenue would be to create an issue in the repository. Unfortunately our developers do not utilize issues as a means of recording, prioritizing or executing work. Our security alerts would be the only issues in GitHub issues and would likely not get the attention they need.

A third option was to create a Jira ticket, which is were our developers prioritize work, but this is an out of band communication. In the past we have not had success with this method. GHAS being in the developer workflow has proved far superior to this solution.

I am requesting that support be added for re-opening security alerts via the API and web UI with a comment. This would make automating vulnerability management with GitHub much easier and effective.

[denisstrelnikov]

I would take this a step further. The ability to reopen with a comment is more of a temporary fix. Ideally, the alert page should include a comment form, similar to a PR, to allow discussion of details directly on the alert page.

[showlett-navex]

This would be super helpful at the alert level, it would allow us to add notes about expecting a fix if it is not simple and delayed by complexity, reference a ticket in our issue management apps, bring other folks into the conversation.

[intrepid-developer]

I would love to be able to make comments on the Alert as well and more easily create issues to complete any work.

[AlonaHlobina]

Hi @hiEntropy,
Thank you very much for the feedback and detailed explanation of your need. It is beneficial.
Currently, the team is investigating the possibility of the alert page including a comment functionality, similar to a PR, to allow the discussion directly on the alert page.
While we cannot provide a specific delivery date for this functionality, please rest assured that we are committed to meeting the needs of our customers. We understand the importance of effective communication and collaboration on alerts and are working on finding a way to provide a clear history of such interactions, which will be traced and appropriately displayed.
cc @erinhav @sj for visibility

[erinhav]

Thanks @AlonaHlobina! Hi all, I'm happy to report that secret scanning is shipping the ability to add an optional comment when reopening an alert, which should roll out over the next few days. This release is a stop-gap until we can figure out how to appropriately support the richer markdown comments that we truly need, in a way which can apply across our security products (to @AlonaHlobina's point). Please continue to raise this ask with your GitHub representative, as this is a non-trivial change which needs to be weighed against all of your other pressing feedback! 🙂