Comments (15)
Just checking in the status of this issue/request. I know there has a been changes to dependabot alert persistence and GraphQL API in the recent months, and I was curious if the new features are enough to enable syncing of dependabot alerts now?
from ghas-jira-integration.
Any update to adding Dependabot alerts?
from ghas-jira-integration.
Any progress on dependabot alerts?
from ghas-jira-integration.
The secret scanning PR has been thoroughly tested. I'll try to get other feedback this week so it can be merged asap!
from ghas-jira-integration.
Howdy @mario-campos!! In the case of Dependabot, I don't see any issues with syncing the Dependabot alerts, but when it comes to having a clear source of truth, it may possibly lead to confusion at first. For example, there would be a Jira issue mapped to some resolved Dependabot alert (because it was open and was synced to Jira at some point) but there's no indication of a resolved alert in the UI or in the endpoint. Because we know how Dependabot security updates treats resolved alerts, we can say/assume the alert was resolved and deleted and implement such logic in this integration. We could definitely make it work, but it's a bit weird to see that inconsistency. For the gh2jira
mechanism, the source of truth is on GitHub, so the lack in UI consistency could cause some confusion. If users are doing the bidirectional sync, the Dependabot sync is fine, given the constraints mentioned. But then again, re-opening a Jira issue for a Dependabot alert does not/would not re-open the Dependabot alert in GitHub because the alert doesn't exist and besides, dismissed alerts can't be re-opened anyways. Ok yea my brain hurts 🧠
So if we could retain alerts... THAT WOULD BE THE BEST INTERNET CHRISTMAS GIFT EVER. 🌴
Simplification is key but I am getting many requests to get Dependabot alerts integrated, so I will work on that asap.
For anyone else reading.. apologies for the delay! Hang in there. 💟
But yeah if a user has Dependabot security updates enabled, that's perfect because we can easily sync it, such as the integration mentioned above. Definitely recommend that approach for now if at all possible.
from ghas-jira-integration.
They ran a comprehensive GHAS evaluation, and the ability to create JIRA tickets for Dependabot alerts was the only unsuccessful piece of the evaluation.
@pladuke Who ran a GHAS evaluation? A customer of yours our a team within GitHub? Does this mean this feature will be worked on?
from ghas-jira-integration.
For secret scanning, I'm giving this one another review before approving and merging: #7
For Dependabot, unfortunately we currently delete resolved alerts on our end, so it would be a partial sync, which some people may be fine with, some others not so much. I'd prefer the sync to be consistent as well, so source of truth/historical data should be on the GitHub side. I believe the Dependabot team is working on retaining the resolved alerts which would be helpful for this integration as well as anyone who is looking to view the historical data on resolved alerts.
from ghas-jira-integration.
Resolved Dependabot alerts are still not retained, but there are ways to sync the actual security/updates: https://github.com/namin2/dependabot_jira
from ghas-jira-integration.
@cmboling, why does Dependabot not retaining alerts after being resolved pose a problem?
from ghas-jira-integration.
I also changed the title since we already got the secret scanning stuff merge 😄
from ghas-jira-integration.
Bump -> Any progress on dependabot alerts?
from ghas-jira-integration.
Dependabot adding API support in Q3 might remove some blockers here - github/roadmap#495
from ghas-jira-integration.
With Code Scanning alerts now being part of the Jira Application, does the development effort for Dependabot sync make more sense to occur here or there?
from ghas-jira-integration.
Any updates here? This would greatly streamline my Jira workflow.
from ghas-jira-integration.
We just received a tech win for 300 GHAS licenses (Synk SCA takeout). Dependabot alert integration with JIRA was the one that we failed to deliver on.
@pladuke
What does that mean?
from ghas-jira-integration.
Related Issues (20)
- Security Vulnerability HOT 4
- unable to fetch alerts from github HOT 1
- Weird behavior when trying to sync alerts to jira
- 403 when accessing secret scanning alerts HOT 1
- SSLError on Jira api connect HOT 1
- Issue type support HOT 4
- Jira ticket Priority HOT 1
- Default GITHUB_TOKEN permissions are not not enough to fetch alerts HOT 6
- Support for custom fields
- Add support for component
- Add support for issue severity. HOT 2
- Weird error when fetching from JIRA HOT 3
- Re-Open Jira issues HOT 1
- Ability to Run Workflow for Whole Organization vs individual Repos
- Jira access token
- Missing Package Running Locally HOT 1
- Workflows failing with "The issue type selected is invalid" HOT 3
- Feature Request - include additional details in the jira ticket
- Workflow enhancements .
- ImportError: cannot import name 'url_quote' from 'werkzeug.urls' HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ghas-jira-integration.