repository_advisories
Creates, updates, deletes, gets or lists a repository_advisories resource.
Overview
| Name | repository_advisories |
| Type | Resource |
| Id | github.security_advisories.repository_advisories |
Fields
The following fields are returned by SELECT queries:
- get_repository_advisory
- list_repository_advisories
- list_org_repository_advisories
Response
| Name | Datatype | Description |
|---|---|---|
cve_id | string | The Common Vulnerabilities and Exposures (CVE) ID. |
ghsa_id | string | The GitHub Security Advisory ID. |
author | object | The author of the advisory. (title: Simple User) |
closed_at | string (date-time) | The date and time of when the advisory was closed, in ISO 8601 format. |
collaborating_teams | array | A list of teams that collaborate on the advisory. |
collaborating_users | array | A list of users that collaborate on the advisory. |
created_at | string (date-time) | The date and time of when the advisory was created, in ISO 8601 format. |
credits | array | |
credits_detailed | array | |
cvss | object | |
cvss_severities | object | |
cwe_ids | array | A list of only the CWE IDs. |
cwes | array | |
description | string | A detailed description of what the advisory entails. |
html_url | string (uri) | The URL for the advisory. |
identifiers | array | |
private_fork | object | A temporary private fork of the advisory's repository for collaborating on a fix. (title: Simple Repository) |
published_at | string (date-time) | The date and time of when the advisory was published, in ISO 8601 format. |
publisher | object | The publisher of the advisory. (title: Simple User) |
severity | string | The severity of the advisory. (critical, high, medium, low) |
state | string | The state of the advisory. (published, closed, withdrawn, draft, triage) |
submission | object | |
summary | string | A short summary of the advisory. |
updated_at | string (date-time) | The date and time of when the advisory was last updated, in ISO 8601 format. |
url | string (uri) | The API URL for the advisory. |
vulnerabilities | array | |
withdrawn_at | string (date-time) | The date and time of when the advisory was withdrawn, in ISO 8601 format. |
Response
| Name | Datatype | Description |
|---|---|---|
cve_id | string | The Common Vulnerabilities and Exposures (CVE) ID. |
ghsa_id | string | The GitHub Security Advisory ID. |
author | object | The author of the advisory. (title: Simple User) |
closed_at | string (date-time) | The date and time of when the advisory was closed, in ISO 8601 format. |
collaborating_teams | array | A list of teams that collaborate on the advisory. |
collaborating_users | array | A list of users that collaborate on the advisory. |
created_at | string (date-time) | The date and time of when the advisory was created, in ISO 8601 format. |
credits | array | |
credits_detailed | array | |
cvss | object | |
cvss_severities | object | |
cwe_ids | array | A list of only the CWE IDs. |
cwes | array | |
description | string | A detailed description of what the advisory entails. |
html_url | string (uri) | The URL for the advisory. |
identifiers | array | |
private_fork | object | A temporary private fork of the advisory's repository for collaborating on a fix. (title: Simple Repository) |
published_at | string (date-time) | The date and time of when the advisory was published, in ISO 8601 format. |
publisher | object | The publisher of the advisory. (title: Simple User) |
severity | string | The severity of the advisory. (critical, high, medium, low) |
state | string | The state of the advisory. (published, closed, withdrawn, draft, triage) |
submission | object | |
summary | string | A short summary of the advisory. |
updated_at | string (date-time) | The date and time of when the advisory was last updated, in ISO 8601 format. |
url | string (uri) | The API URL for the advisory. |
vulnerabilities | array | |
withdrawn_at | string (date-time) | The date and time of when the advisory was withdrawn, in ISO 8601 format. |
Response
| Name | Datatype | Description |
|---|---|---|
cve_id | string | The Common Vulnerabilities and Exposures (CVE) ID. |
ghsa_id | string | The GitHub Security Advisory ID. |
author | object | The author of the advisory. (title: Simple User) |
closed_at | string (date-time) | The date and time of when the advisory was closed, in ISO 8601 format. |
collaborating_teams | array | A list of teams that collaborate on the advisory. |
collaborating_users | array | A list of users that collaborate on the advisory. |
created_at | string (date-time) | The date and time of when the advisory was created, in ISO 8601 format. |
credits | array | |
credits_detailed | array | |
cvss | object | |
cvss_severities | object | |
cwe_ids | array | A list of only the CWE IDs. |
cwes | array | |
description | string | A detailed description of what the advisory entails. |
html_url | string (uri) | The URL for the advisory. |
identifiers | array | |
private_fork | object | A temporary private fork of the advisory's repository for collaborating on a fix. (title: Simple Repository) |
published_at | string (date-time) | The date and time of when the advisory was published, in ISO 8601 format. |
publisher | object | The publisher of the advisory. (title: Simple User) |
severity | string | The severity of the advisory. (critical, high, medium, low) |
state | string | The state of the advisory. (published, closed, withdrawn, draft, triage) |
submission | object | |
summary | string | A short summary of the advisory. |
updated_at | string (date-time) | The date and time of when the advisory was last updated, in ISO 8601 format. |
url | string (uri) | The API URL for the advisory. |
vulnerabilities | array | |
withdrawn_at | string (date-time) | The date and time of when the advisory was withdrawn, in ISO 8601 format. |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get_repository_advisory | select | owner, repo, ghsa_id | Get a repository security advisory using its GitHub Security Advisory (GHSA) identifier. Anyone can access any published security advisory on a public repository. The authenticated user can access an unpublished security advisory from a repository if they are a security manager or administrator of that repository, or if they are a collaborator on the security advisory. OAuth app tokens and personal access tokens (classic) need the repo or repository_advisories:read scope to to get a published security advisory in a private repository, or any unpublished security advisory that the authenticated user has access to. | |
list_repository_advisories | select | owner, repo | direction, sort, before, after, per_page, state | Lists security advisories in a repository. The authenticated user can access unpublished security advisories from a repository if they are a security manager or administrator of that repository, or if they are a collaborator on any security advisory. OAuth app tokens and personal access tokens (classic) need the repo or repository_advisories:read scope to to get a published security advisory in a private repository, or any unpublished security advisory that the authenticated user has access to. |
list_org_repository_advisories | select | org | direction, sort, before, after, per_page, state | Lists repository security advisories for an organization. The authenticated user must be an owner or security manager for the organization to use this endpoint. OAuth app tokens and personal access tokens (classic) need the repo or repository_advisories:write scope to use this endpoint. |
create_repository_advisory_cve_request | insert | owner, repo, ghsa_id | If you want a CVE identification number for the security vulnerability in your project, and don't already have one, you can request a CVE identification number from GitHub. For more information see "Requesting a CVE identification number." You may request a CVE for public repositories, but cannot do so for private repositories. In order to request a CVE for a repository security advisory, the authenticated user must be a security manager or administrator of that repository. OAuth app tokens and personal access tokens (classic) need the repo or repository_advisories:write scope to use this endpoint. | |
create_repository_advisory | insert | owner, repo, summary, description, vulnerabilities | Creates a new repository security advisory. In order to create a draft repository security advisory, the authenticated user must be a security manager or administrator of that repository. OAuth app tokens and personal access tokens (classic) need the repo or repository_advisories:write scope to use this endpoint. | |
update_repository_advisory | update | owner, repo, ghsa_id | Update a repository security advisory using its GitHub Security Advisory (GHSA) identifier. In order to update any security advisory, the authenticated user must be a security manager or administrator of that repository, or a collaborator on the repository security advisory. OAuth app tokens and personal access tokens (classic) need the repo or repository_advisories:write scope to use this endpoint. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
ghsa_id | string | The GHSA (GitHub Security Advisory) identifier of the advisory. |
org | string | The organization name. The name is not case sensitive. |
owner | string | The account owner of the repository. The name is not case sensitive. |
repo | string | The name of the repository without the .git extension. The name is not case sensitive. |
after | string | A cursor, as given in the Link header. If specified, the query only searches for results after this cursor. For more information, see "Using pagination in the REST API." |
before | string | A cursor, as given in the Link header. If specified, the query only searches for results before this cursor. For more information, see "Using pagination in the REST API." |
direction | string | The direction to sort the results by. |
per_page | integer | The number of advisories to return per page. For more information, see "Using pagination in the REST API." |
sort | string | The property to sort the results by. |
state | string | Filter by the state of the repository advisories. Only advisories of this state will be returned. |
SELECT examples
- get_repository_advisory
- list_repository_advisories
- list_org_repository_advisories
Get a repository security advisory using its GitHub Security Advisory (GHSA) identifier.
Anyone can access any published security advisory on a public repository.
The authenticated user can access an unpublished security advisory from a repository if they are a security manager or administrator of that repository, or if they are a
collaborator on the security advisory.
OAuth app tokens and personal access tokens (classic) need the repo or repository_advisories:read scope to to get a published security advisory in a private repository, or any unpublished security advisory that the authenticated user has access to.
SELECT
cve_id,
ghsa_id,
author,
closed_at,
collaborating_teams,
collaborating_users,
created_at,
credits,
credits_detailed,
cvss,
cvss_severities,
cwe_ids,
cwes,
description,
html_url,
identifiers,
private_fork,
published_at,
publisher,
severity,
state,
submission,
summary,
updated_at,
url,
vulnerabilities,
withdrawn_at
FROM github.security_advisories.repository_advisories
WHERE owner = '{{ owner }}' -- required
AND repo = '{{ repo }}' -- required
AND ghsa_id = '{{ ghsa_id }}' -- required
;
Lists security advisories in a repository.
The authenticated user can access unpublished security advisories from a repository if they are a security manager or administrator of that repository, or if they are a collaborator on any security advisory.
OAuth app tokens and personal access tokens (classic) need the repo or repository_advisories:read scope to to get a published security advisory in a private repository, or any unpublished security advisory that the authenticated user has access to.
SELECT
cve_id,
ghsa_id,
author,
closed_at,
collaborating_teams,
collaborating_users,
created_at,
credits,
credits_detailed,
cvss,
cvss_severities,
cwe_ids,
cwes,
description,
html_url,
identifiers,
private_fork,
published_at,
publisher,
severity,
state,
submission,
summary,
updated_at,
url,
vulnerabilities,
withdrawn_at
FROM github.security_advisories.repository_advisories
WHERE owner = '{{ owner }}' -- required
AND repo = '{{ repo }}' -- required
AND direction = '{{ direction }}'
AND sort = '{{ sort }}'
AND before = '{{ before }}'
AND after = '{{ after }}'
AND per_page = '{{ per_page }}'
AND state = '{{ state }}'
;
Lists repository security advisories for an organization.
The authenticated user must be an owner or security manager for the organization to use this endpoint.
OAuth app tokens and personal access tokens (classic) need the repo or repository_advisories:write scope to use this endpoint.
SELECT
cve_id,
ghsa_id,
author,
closed_at,
collaborating_teams,
collaborating_users,
created_at,
credits,
credits_detailed,
cvss,
cvss_severities,
cwe_ids,
cwes,
description,
html_url,
identifiers,
private_fork,
published_at,
publisher,
severity,
state,
submission,
summary,
updated_at,
url,
vulnerabilities,
withdrawn_at
FROM github.security_advisories.repository_advisories
WHERE org = '{{ org }}' -- required
AND direction = '{{ direction }}'
AND sort = '{{ sort }}'
AND before = '{{ before }}'
AND after = '{{ after }}'
AND per_page = '{{ per_page }}'
AND state = '{{ state }}'
;
INSERT examples
- create_repository_advisory_cve_request
- create_repository_advisory
- Manifest
If you want a CVE identification number for the security vulnerability in your project, and don't already have one, you can request a CVE identification number from GitHub. For more information see "Requesting a CVE identification number."
You may request a CVE for public repositories, but cannot do so for private repositories.
In order to request a CVE for a repository security advisory, the authenticated user must be a security manager or administrator of that repository.
OAuth app tokens and personal access tokens (classic) need the repo or repository_advisories:write scope to use this endpoint.
INSERT INTO github.security_advisories.repository_advisories (
owner,
repo,
ghsa_id
)
SELECT
'{{ owner }}',
'{{ repo }}',
'{{ ghsa_id }}'
;
Creates a new repository security advisory.
In order to create a draft repository security advisory, the authenticated user must be a security manager or administrator of that repository.
OAuth app tokens and personal access tokens (classic) need the repo or repository_advisories:write scope to use this endpoint.
INSERT INTO github.security_advisories.repository_advisories (
summary,
description,
cve_id,
vulnerabilities,
cwe_ids,
credits,
severity,
cvss_vector_string,
start_private_fork,
owner,
repo
)
SELECT
'{{ summary }}' /* required */,
'{{ description }}' /* required */,
'{{ cve_id }}',
'{{ vulnerabilities }}' /* required */,
'{{ cwe_ids }}',
'{{ credits }}',
'{{ severity }}',
'{{ cvss_vector_string }}',
{{ start_private_fork }},
'{{ owner }}',
'{{ repo }}'
RETURNING
cve_id,
ghsa_id,
author,
closed_at,
collaborating_teams,
collaborating_users,
created_at,
credits,
credits_detailed,
cvss,
cvss_severities,
cwe_ids,
cwes,
description,
html_url,
identifiers,
private_fork,
published_at,
publisher,
severity,
state,
submission,
summary,
updated_at,
url,
vulnerabilities,
withdrawn_at
;
# Description fields are for documentation purposes
- name: repository_advisories
props:
- name: owner
value: "{{ owner }}"
description: Required parameter for the repository_advisories resource.
- name: repo
value: "{{ repo }}"
description: Required parameter for the repository_advisories resource.
- name: ghsa_id
value: "{{ ghsa_id }}"
description: Required parameter for the repository_advisories resource.
- name: summary
value: "{{ summary }}"
description: |
A short summary of the advisory.
- name: description
value: "{{ description }}"
description: |
A detailed description of what the advisory impacts.
- name: cve_id
value: "{{ cve_id }}"
description: |
The Common Vulnerabilities and Exposures (CVE) ID.
- name: vulnerabilities
description: |
A product affected by the vulnerability detailed in a repository security advisory.
value:
- package:
ecosystem: "{{ ecosystem }}"
name: "{{ name }}"
vulnerable_version_range: "{{ vulnerable_version_range }}"
patched_versions: "{{ patched_versions }}"
vulnerable_functions: "{{ vulnerable_functions }}"
- name: cwe_ids
value:
- "{{ cwe_ids }}"
description: |
A list of Common Weakness Enumeration (CWE) IDs.
- name: credits
description: |
A list of users receiving credit for their participation in the security advisory.
value:
- login: "{{ login }}"
type: "{{ type }}"
- name: severity
value: "{{ severity }}"
description: |
The severity of the advisory. You must choose between setting this field or `cvss_vector_string`.
valid_values: ['critical', 'high', 'medium', 'low']
- name: cvss_vector_string
value: "{{ cvss_vector_string }}"
description: |
The CVSS vector that calculates the severity of the advisory. You must choose between setting this field or `severity`.
- name: start_private_fork
value: {{ start_private_fork }}
description: |
Whether to create a temporary private fork of the repository to collaborate on a fix.
default: false
UPDATE examples
- update_repository_advisory
Update a repository security advisory using its GitHub Security Advisory (GHSA) identifier.
In order to update any security advisory, the authenticated user must be a security manager or administrator of that repository,
or a collaborator on the repository security advisory.
OAuth app tokens and personal access tokens (classic) need the repo or repository_advisories:write scope to use this endpoint.
UPDATE github.security_advisories.repository_advisories
SET
summary = '{{ summary }}',
description = '{{ description }}',
cve_id = '{{ cve_id }}',
vulnerabilities = '{{ vulnerabilities }}',
cwe_ids = '{{ cwe_ids }}',
credits = '{{ credits }}',
severity = '{{ severity }}',
cvss_vector_string = '{{ cvss_vector_string }}',
state = '{{ state }}',
collaborating_users = '{{ collaborating_users }}',
collaborating_teams = '{{ collaborating_teams }}'
WHERE
owner = '{{ owner }}' --required
AND repo = '{{ repo }}' --required
AND ghsa_id = '{{ ghsa_id }}' --required
RETURNING
cve_id,
ghsa_id,
author,
closed_at,
collaborating_teams,
collaborating_users,
created_at,
credits,
credits_detailed,
cvss,
cvss_severities,
cwe_ids,
cwes,
description,
html_url,
identifiers,
private_fork,
published_at,
publisher,
severity,
state,
submission,
summary,
updated_at,
url,
vulnerabilities,
withdrawn_at;