-
Notifications
You must be signed in to change notification settings - Fork 763
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for disabling the use of the vulnerability management endpoint #1022
Add support for disabling the use of the vulnerability management endpoint #1022
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I really like this PR as it opens us up to more use cases and I've had friction with inconsistent vulnerability alert support across environments in the past.
I suggest we generalize ignore_vulnerability_alerts_during_read
to something like privileged
so we can reuse the flag for other cases that may arise or already exist.
Keeping this queued for an upcoming release for now in case there is more input from the community. Overall on board though and anticipate this shipping this quarter.
I think if we want to use a generic and overloaded term such as |
I'm a bit confused why the checks aren't running on this PR. Maybe they'll trigger with a comment? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm dumb; the checks weren't running because they didn't exist at the point when this PR was opened. I've now updated this branch with main
and made a small change for gofmt
purposes.
I agree with @majormoses regarding the term privileged, and I think it makes sense to take this as-is now and adjust the flag later if need be.
…point (integrations#1022) * Add support for disabling the use of the vulnerability management endpoint * Run make lint Co-authored-by: Keegan Campbell <[email protected]>
…point (integrations#1022) * Add support for disabling the use of the vulnerability management endpoint * Run make lint Co-authored-by: Keegan Campbell <[email protected]>
This PR adds a flag to disable reading the GetVulnerabilityAlerts alerts endpoint on refresh which prevents terraform from running least privileges in the plan phase.
The endpoint
GET /repos/:owner/:repo/vulnerability-alerts
needs administration :write permissions when using a Github App to deploy. In the plan phase this is unwanted because it forces us to expose high privileged secrets to branch builds rather than just to the main build.