Global feed or filter for published repository-level security advisories (ecosystem-less) #198244
Replies: 1 comment
-
|
Thank you for your interest in contributing to our community! We currently only accept discussions created through the GitHub UI using our provided discussion templates. Please re-submit your discussion by navigating to the appropriate category and using the template provided. This discussion has been closed because it was not submitted through the expected format. If you believe this was a mistake, please reach out to the maintainers. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Problem
Repository security advisories that do not map to a supported package ecosystem (desktop applications, firmware, tooling) are published, publicly readable, and carry GitHub-CNA-assigned CVE IDs, but they are invisible to every aggregate discovery surface GitHub offers:
GET /advisories) does not return them, and notypeorecosystemfilter changes that (the reviewed database only accepts the supported package ecosystems)securityAdvisory(ghsaId:)returnsNOT_FOUNDfor themrepository_advisorywebhook only fires for repositories, orgs, or app installations you controlThe only discovery mechanism that works is polling
GET /repos/{owner}/{repo}/security-advisoriesfor every repository you care about. We currently poll a 10,000-repository watchlist every 3 hours with ETag conditional requests. It works, and conditional requests keep it cheap, but mass-polling public data is the wrong architecture for both sides.Concrete example: Notepad++
Notepad++ is one of the most widely deployed desktop applications on GitHub and publishes no package to a supported ecosystem, so its advisories are exactly this class. Verified today (2026-06-06):
GET /repos/notepad-plus-plus/notepad-plus-plus/security-advisoriesGET /advisoriescve_id, 404 by GHSA id)The last two rows are the sharpest version of the problem: published security advisories for a major desktop application, sitting in the window before CVE assignment/publication, with zero signal available from any feed, search surface, or event stream. During that window (typically days to weeks) the repository advisory itself is the only public record in existence. Anyone not already polling that specific repository finds out only when the CVE eventually lands in cvelistV5/NVD.
Ask
Any one of these would eliminate mass polling:
type=repositoryorecosystem=none, that returns published repository-level advisoriesrepository_advisory.publishedevent that does not require installation on each repositoryPrior discussions
This gap has come up before: #67871 (staff response indicated a global advisory feed was not on the near-term roadmap), #181073, #12226. Raising it again with concrete, current examples because these advisories have no other public feed anywhere: the per-repo API is load-bearing for the entire ecosystem's visibility into this class of vulnerability.
Beta Was this translation helpful? Give feedback.
All reactions