REST API for retrieving and adding security advisory comments.

[gtjoseph]

🏷️ Discussion Type

Question

💬 Feature/Topic Area

API

Body

There doesn't seem to be a way to retrieve existing comments from a security advisory or add new comments using the REST API. Am I'm missing something?

[DEVAL-020]

Hi,

As far as I can tell, you're not missing anything.

GitHub's REST API provides endpoints for working with security advisories themselves (depending on scope and permissions), but I have not found any REST endpoints that allow you to list, create, update, or delete comments associated with a security advisory discussion.

If your goal is to access advisory comments programmatically, you may want to check whether the functionality is exposed through the GraphQL API instead. Some GitHub features become available in GraphQL before equivalent REST endpoints exist.

It's also possible that advisory comments are currently only available through the web interface and are not exposed through either public API.

If someone from GitHub can confirm, I'd be interested to know whether:

• Advisory comments are available via GraphQL but not REST.
• There are any preview or undocumented endpoints.
• API support for advisory comments is planned for the future.

Based on the current public REST API documentation, I don't see a supported endpoint for retrieving or adding security advisory comments.

[DKP-RGB]

I don't think you're missing anything. I looked into this before, and as far as I know, the REST API doesn't currently support retrieving or creating comments on security advisories.

I was expecting those endpoints to exist too, but it seems comment management is only available through the GitHub UI right now. If you need to automate that workflow, there doesn't seem to be an official REST API for it yet.

It would definitely be a nice addition since a lot of security review processes could benefit from API support.

[yuanyuan-qwq]

I don’t think you’re missing anything. The REST API currently supports listing/getting/creating/updating repository security advisories, requesting CVEs, etc., but I don’t see any endpoints for reading or creating advisory comments.

So unless there’s an undocumented/internal endpoint, it looks like advisory comments aren’t exposed through the REST API today. This would probably need to be a feature request.