Feature request: Per-repo default collaborators on GitHub Security Advisories

[sethmlarson]

Select Topic Area

Product Feedback

Body

Currently GitHub Security Advisories have the owners of the repository/organization assigned as collaborators when a new GHSA is opened. However for many organizations it's common that the owners of the organization aren't the same people that would triage and respond to the security vulnerability, typically the folks triaging security vulnerabilities are people who maintain the individual project(s).

This means projects wanting to use GHSA either need to have owners manually add the correct team/individuals to triage security vulnerabilities or create their own automation using the new REST APIs for GHSA to add default teams to draft advisories.

I propose a feature that would make adopting GHSA for multi-project organizations more straightforward: being able to configure default collaborators for security advisories per-repository. This could be done in the "Code security & analysis" section of repository settings.

[jhutchings1]

@sethmlarson understood on the feedback re: organization owners. We find most folks rely on repository owners to do what you've described. Does that work for you? Would be good to better understand your scenarios here.

[sethmlarson]

I'm not sure if this would work, I'll double check if we have repository admins configured. I'll note that I would still prefer keeping the number of admin accounts for a repository/organization low just due to the privileges that role has, it would be nice to have many accounts with lower privileges able to access GHSA.

[jhutchings1]

A member of the team reminded me that one additional thing that is now available since the release of the repository security advisories API is that you can programmatically change the set of collaborators. So if you had an app that subscribed to webhooks for advisories, you could manage the collaborators automatically that way.

[sethmlarson]

@jhutchings1 I've tried to implement this using a GitHub App but couldn't get a single repository_advisory event to fire, maybe you know what's going on here?

https://github.com/orgs/community/discussions/67518

[kevinbackhouse]

I've seen this same problem on a project that I contribute to. There are 10 people who automatically get added as collaborators on every GHSA, which is more than is really necessary. Security issues are usually handled by a smaller group of 3 or 4 people. And I don't think the answer is to reduce the number of organization owners, because it's a collaborative project with different specialities: some people are experts on features, or documentation, or the build system, or the release process - they own the project just as much as the security people do. So it would be great if we could designate a smaller "security" group who get added to GHSAs.

[netniV]

I think there should be an option to select which group is the default collaboration group, not just owners. I am the project owner for a small team, but we have several developers who need to be added via our security group as a collaborator. Issues end up being sat unaccepted in triage because I do not look at GitHub daily, I just manage the project, setups and configurations.

[renchap]

In our case (the Mastodon organisation), we have a security team on Github, and would like this team to be automatically added (and notified) to any reported or created advisory. At the moment, this is relying on the various repo admins to properly add the team manually and made us miss a few advisories :(

[willhickey]

My org also has this problem... small group of us handle Github admin work, and a larger group handles GHSAs. We have to add the larger group to GHSAs manually (currently working on automation that uses polling to check for new advisories).

It would be nice to configure a group that gets auto-added to all GHSAs

[jay]

We would like this for the curl project. Owners may not be on the security team. The security team should be the default team.