Set Notifications Frequency for GitHub Advanced Security

[john-yacuta-submittable]

Select Topic Area

Question

Body

Is there a way in GitHub Advanced Security to create a frequency of notifications for critical/high findings, which includes Dependabot, Code scanning, and Secret scanning, for repository owners? I am getting feedback that repo owners are not getting notifications based on findings.

Use case: As an engineer, I want to be kept up to date on new findings of critical/high GitHub Advanced Security findings in my owned repositories such as a weekly basis on every Monday morning.

[GhostOf0days]

You can use cron jobs (see https://cronexpressiontogo.com/, https://medium.com/nerd-for-tech/lets-run-cron-jobs-using-github-actions-df64496ffc4a, and https://www.hostinger.com/tutorials/cron-job) in a Github workflow or create 'dependabot.yml' (also set up 'codeql.yml' if you want') in a folder called '.github', such as the following:

version: 2
updates:
  # Enable version updates for npm
  - package-ecosystem: 'npm'
    # Look for `package.json` and `lock` files in the `root` directory
    directory: '/'
    # Check the npm registry for updates every day (weekdays)
    schedule:
      interval: 'daily'
  - package-ecosystem: 'github-actions'
    directory: '/'
    schedule:
      # Check for updates to GitHub Actions every weekday
      interval: 'daily'
     ```

[john-yacuta-submittable]

Thanks for the quick reply! I noticed that this example is more about updating packages rather than notifying repository owners of critical/high vulnerabilities that require attention. Is there a way to configure dependabot.yml to just do notifications? I was reading this documentation but it does not mention notification configuration. Thanks!

[GhostOf0days]

Unfortunately, no to scheduling, but you can do notifications. You could set up the dependency graph (see https://github.blog/2017-11-16-introducing-security-alerts-on-github/, https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph, and https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). However, there is no current method to set up the frequency of notifications. I would try to see if there's an external tool to set up cron jobs for dependency and CVE alerts. Otherwise, your best bet is to build an in-house solution (which would be sunk time and costs for you).

[john-yacuta-submittable]

Also, I found this feature on a per repo basis that teams can be added to get access to security alerts: Granting access to security alerts
Im wondering if there is a similar feature in GH that can be enabled globally for an organization and it finds the repository owners and sends them alerts. Is there a page for feature requests in GItHub?

[GhostOf0days]

Unfortunately, there is no global setting or feature request page. Your best option is to create a support ticket and ask them to forward the feature request to the relevant team.

[GhostOf0days]

Your other option is to post in the discussions board (here), but, if I'm being honest, it's not great.