Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for disabling the use of the vulnerability management endpoint #1022

Merged
merged 3 commits into from
Mar 25, 2022

Conversation

enieuw
Copy link
Contributor

@enieuw enieuw commented Dec 30, 2021

This PR adds a flag to disable reading the GetVulnerabilityAlerts alerts endpoint on refresh which prevents terraform from running least privileges in the plan phase.

The endpoint GET /repos/:owner/:repo/vulnerability-alerts needs administration :write permissions when using a Github App to deploy. In the plan phase this is unwanted because it forces us to expose high privileged secrets to branch builds rather than just to the main build.

@jcudit jcudit added this to the v4.20.0 milestone Jan 20, 2022
Copy link
Contributor

@jcudit jcudit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really like this PR as it opens us up to more use cases and I've had friction with inconsistent vulnerability alert support across environments in the past.

I suggest we generalize ignore_vulnerability_alerts_during_read to something like privileged so we can reuse the flag for other cases that may arise or already exist.

Keeping this queued for an upcoming release for now in case there is more input from the community. Overall on board though and anticipate this shipping this quarter.

@majormoses
Copy link
Contributor

I think if we want to use a generic and overloaded term such as privileged then we should explicitly define what this means. Both org and repository admins are privileged users in different contexts if this is generic this will make it hard to enable someone who wants to only use features that work with a repository admin but not an org admin.

@kfcampbell kfcampbell modified the milestones: v4.20.0, v4.21.0, v4.22.0 Mar 3, 2022
@kfcampbell
Copy link
Member

I'm a bit confused why the checks aren't running on this PR. Maybe they'll trigger with a comment?

@kfcampbell kfcampbell modified the milestones: v4.22.0, v4.23.0 Mar 18, 2022
Copy link
Member

@kfcampbell kfcampbell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm dumb; the checks weren't running because they didn't exist at the point when this PR was opened. I've now updated this branch with main and made a small change for gofmt purposes.

I agree with @majormoses regarding the term privileged, and I think it makes sense to take this as-is now and adjust the flag later if need be.

@kfcampbell kfcampbell merged commit a86f95d into integrations:main Mar 25, 2022
kfcampbell added a commit to kfcampbell/terraform-provider-github that referenced this pull request Jul 26, 2022
…point (integrations#1022)

* Add support for disabling the use of the vulnerability management endpoint

* Run make lint

Co-authored-by: Keegan Campbell <[email protected]>
kazaker pushed a commit to auto1-oss/terraform-provider-github that referenced this pull request Dec 28, 2022
…point (integrations#1022)

* Add support for disabling the use of the vulnerability management endpoint

* Run make lint

Co-authored-by: Keegan Campbell <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants