I have several posts discussing GitHub Advanced Security, but practically a question that I get often is: “Who can access the alerts on each repository?”
I hope to solve that with this permissions / access requirements chart!
This chart is loosely based on the one from GitHub, with a few additions, modifications, and clarifications.
|Feature||Read, Triage||Write||Maintain||Admin||Security Mgr||Org Owner|
|Receive Dependabot alerts||X||X||X|
|Dismiss Dependabot alerts||X||X||X|
|Designate others to receive security alerts||X||X||X|
|Create security advisories||X||X||X|
|Manage access to GHAS features in the repo||X||X||X|
|Enable the dependency graph||X||X||X|
|View dependency reviews||X||X||X||X||X||X|
|View code scanning alerts on pull requests||X||X||X||X||X||X|
|Manage code scanning alerts||X||X||X||X||X|
|View secret scanning alerts in a repository||X||X||X||X||X|
|Manage secret scanning alerts||X||X||X||X||X|
|Access to the org’s security overview||X||X|
|Access to the enterprise’s security overview||X||X|
|Manage GHAS features at org level||X||X|
|Designate Security Managers||X|
|Read access to repo(s)||X||X||X||X||X||X|
|Write access to repo(s)||X||X||X||X|
-  Repository writers and maintainers can only see alert information for their own commits
-  At the enterprise security overview level, you would only see organizations that you are added as an org owner or security manager
-  Security managers get read-only access to every repository in the organization
- This chart primarily focuses on GitHub Advanced Security in GitHub Enterprise Cloud
Security alerts for a repository are visible to people with admin access to the repository and, when the repository is owned by an organization, organization owners. You can also give additional teams and people access to the alerts.
When adding users to be able to view security alerts, there is a bit of text that explains (emphasis mine):
Admins, users, and teams in the list below have permission to view and manage code scanning, Dependabot, or secret scanning alerts. These users may be notified when a new vulnerability is found in one of this repository’s dependencies and when a secret or key is checked in. They will also see additional details when viewing Dependabot security updates. Individuals can manage how they receive these alerts in their notification settings.
Note: Organization owners and repository administrators can only grant access to view security alerts, such as secret scanning alerts, to people or teams who have write access to the repo.
Organization administrators can create Custom Repository Roles to customize and fine-tune different permission sets that repository administrators can grant. For example, I want to create a role that allows users to have Write access AND be able to view/dismiss Dependabot Alerts:
Custom repository roles - creating a custom role to allow viewing/managing of Dependabot alerts
|Mar 11 2021||Adding section about security alerts|
|Mar 08 2021||Initial post|