Repository security advisories
Use the REST API to view and manage repository security advisories.
List repository security advisories
Lists security advisories in a repository.
You must authenticate using an access token with the repo
scope or repository_advisories:read
permission
in order to get published security advisories in a private repository, or any unpublished security advisories that you have access to.
You can access unpublished security advisories from a repository if you are a security manager or administrator of that repository, or if you are a collaborator on any security advisory.
Parameters for "List repository security advisories"
Headers |
---|
Name, Type, Description |
accept string Setting to |
Path parameters |
Name, Type, Description |
owner string RequiredThe account owner of the repository. The name is not case sensitive. |
repo string RequiredThe name of the repository. The name is not case sensitive. |
Query parameters |
Name, Type, Description |
direction string The direction to sort the results by. Default: Can be one of: |
sort string The property to sort the results by. Default: Can be one of: |
before string A cursor, as given in the Link header. If specified, the query only searches for results before this cursor. |
after string A cursor, as given in the Link header. If specified, the query only searches for results after this cursor. |
per_page integer Number of advisories to return per page. Default: |
state string Filter by state of the repository advisories. Only advisories of this state will be returned. Can be one of: |
HTTP response status codes for "List repository security advisories"
Status code | Description |
---|---|
200 | OK |
400 | Bad Request |
404 | Resource not found |
Code samples for "List repository security advisories"
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/OWNER/REPO/security-advisories
Response
Status: 200
[
{
"ghsa_id": "GHSA-abcd-1234-efgh",
"cve_id": "CVE-2050-00000",
"url": "https://api.github.com/repos/repo/a-package/security-advisories/GHSA-abcd-1234-efgh",
"html_url": "https://github.com/repo/a-package/security/advisories/GHSA-abcd-1234-efgh",
"summary": "A short summary of the advisory.",
"description": "A detailed description of what the advisory entails.",
"severity": "critical",
"author": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"publisher": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"identifiers": [
{
"type": "GHSA",
"value": "GHSA-abcd-1234-efgh"
},
{
"type": "CVE",
"value": "CVE-2050-00000"
}
],
"state": "published",
"created_at": "2020-01-01T00:00:00Z",
"updated_at": "2020-01-02T00:00:00Z",
"published_at": "2020-01-03T00:00:00Z",
"closed_at": null,
"withdrawn_at": null,
"submission": null,
"vulnerabilities": [
{
"package": {
"ecosystem": "pip",
"name": "a-package"
},
"vulnerable_version_range": ">= 1.0.0, < 1.0.1",
"patched_versions": "1.0.1",
"vulnerable_functions": [
"function1"
]
},
{
"package": {
"ecosystem": "pip",
"name": "another-package"
},
"vulnerable_version_range": ">= 1.0.0, < 1.0.2",
"patched_versions": "1.0.2",
"vulnerable_functions": [
"function2"
]
}
],
"cvss": {
"vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"score": 9.8
},
"cwes": [
{
"cwe_id": "CWE-123",
"name": "A CWE"
}
],
"cwe_ids": [
"CWE-123"
],
"credits": [
{
"login": "octocat",
"type": "analyst"
}
],
"credits_detailed": [
{
"user": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"type": "analyst",
"state": "accepted"
}
]
},
{
"ghsa_id": "GHSA-1234-5678-9012",
"cve_id": "CVE-2051-0000",
"url": "https://api.github.com/repos/repo/a-package/security-advisories/GHSA-1234-5678-9012",
"html_url": "https://github.com/repo/a-package/security/advisories/GHSA-1234-5678-9012",
"summary": "A short summary of the advisory.",
"description": "A detailed description of what the advisory entails.",
"severity": "low",
"author": {
"login": "monauser",
"id": 2,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/monauser",
"html_url": "https://github.com/monauser",
"followers_url": "https://api.github.com/users/monauser/followers",
"following_url": "https://api.github.com/users/monauser/following{/other_user}",
"gists_url": "https://api.github.com/users/monauser/gists{/gist_id}",
"starred_url": "https://api.github.com/users/monauser/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/monauser/subscriptions",
"organizations_url": "https://api.github.com/users/monauser/orgs",
"repos_url": "https://api.github.com/users/monauser/repos",
"events_url": "https://api.github.com/users/monauser/events{/privacy}",
"received_events_url": "https://api.github.com/users/monauser/received_events",
"type": "User",
"site_admin": false
},
"publisher": {
"login": "monalisa",
"id": 3,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/monalisa",
"html_url": "https://github.com/monalisa",
"followers_url": "https://api.github.com/users/monalisa/followers",
"following_url": "https://api.github.com/users/monalisa/following{/other_user}",
"gists_url": "https://api.github.com/users/monalisa/gists{/gist_id}",
"starred_url": "https://api.github.com/users/monalisa/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/monalisa/subscriptions",
"organizations_url": "https://api.github.com/users/monalisa/orgs",
"repos_url": "https://api.github.com/users/monalisa/repos",
"events_url": "https://api.github.com/users/monalisa/events{/privacy}",
"received_events_url": "https://api.github.com/users/monalisa/received_events",
"type": "User",
"site_admin": false
},
"identifiers": [
{
"type": "GHSA",
"value": "GHSA-1234-5678-9012"
},
{
"type": "CVE",
"value": "CVE-2051-00000"
}
],
"state": "published",
"created_at": "2020-01-03T00:00:00Z",
"updated_at": "2020-01-04T00:00:00Z",
"published_at": "2020-01-04T00:00:00Z",
"closed_at": null,
"withdrawn_at": null,
"submission": [
{
"accepted": true
}
],
"vulnerabilities": [
{
"package": {
"ecosystem": "pip",
"name": "a-package"
},
"vulnerable_version_range": ">= 1.0.0, < 1.0.1",
"patched_versions": "1.0.1",
"vulnerable_functions": [
"function1"
]
},
{
"package": {
"ecosystem": "pip",
"name": "another-package"
},
"vulnerable_version_range": ">= 1.0.0, < 1.0.2",
"patched_versions": "1.0.2",
"vulnerable_functions": [
"function2"
]
}
],
"cvss": {
"vector_string": "AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"score": 1.6
},
"cwes": [
{
"cwe_id": "CWE-456",
"name": "A CWE 2.0"
}
],
"cwe_ids": [
"CWE-456"
],
"credits": [
{
"login": "monauser",
"type": "reporter"
}
],
"credits_detailed": [
{
"user": {
"login": "monauser",
"id": 2,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/monauser",
"html_url": "https://github.com/monauser",
"followers_url": "https://api.github.com/users/monauser/followers",
"following_url": "https://api.github.com/users/monauser/following{/other_user}",
"gists_url": "https://api.github.com/users/monauser/gists{/gist_id}",
"starred_url": "https://api.github.com/users/monauser/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/monauser/subscriptions",
"organizations_url": "https://api.github.com/users/monauser/orgs",
"repos_url": "https://api.github.com/users/monauser/repos",
"events_url": "https://api.github.com/users/monauser/events{/privacy}",
"received_events_url": "https://api.github.com/users/monauser/received_events",
"type": "User",
"site_admin": false
},
"type": "reporter",
"state": "accepted"
}
]
}
]
Create a repository security advisory
Creates a new repository security advisory.
You must authenticate using an access token with the repo
scope or repository_advisories:write
permission to use this endpoint.
In order to create a draft repository security advisory, you must be a security manager or administrator of that repository.
Parameters for "Create a repository security advisory"
Headers | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Name, Type, Description | |||||||||||||||
accept string Setting to | |||||||||||||||
Path parameters | |||||||||||||||
Name, Type, Description | |||||||||||||||
owner string RequiredThe account owner of the repository. The name is not case sensitive. | |||||||||||||||
repo string RequiredThe name of the repository. The name is not case sensitive. | |||||||||||||||
Body parameters | |||||||||||||||
Name, Type, Description | |||||||||||||||
summary string RequiredA short summary of the advisory. | |||||||||||||||
description string RequiredA detailed description of what the advisory impacts. | |||||||||||||||
cve_id string or null The Common Vulnerabilities and Exposures (CVE) ID. | |||||||||||||||
vulnerabilities array of objects RequiredA product affected by the vulnerability detailed in a repository security advisory. | |||||||||||||||
Properties of |
Name, Type, Description | ||||||
---|---|---|---|---|---|---|
package object RequiredThe name of the package affected by the vulnerability. | ||||||
Properties of |
Name, Type, Description |
---|
ecosystem string RequiredThe package's language or package management ecosystem. Can be one of: |
name string or null The unique package name within its ecosystem. |
vulnerable_version_range
string or null The range of the package versions affected by the vulnerability.
patched_versions
string or null The package version(s) that resolve the vulnerability.
vulnerable_functions
array of strings or null The functions in the package that are affected.
cwe_ids
array of strings or null A list of Common Weakness Enumeration (CWE) IDs.
credits
array of objects or null A list of users receiving credit for their participation in the security advisory.
Properties of credits
Name, Type, Description |
---|
login string RequiredThe username of the user credited. |
type string RequiredThe type of credit the user is receiving. Can be one of: |
severity
string or null The severity of the advisory. You must choose between setting this field or cvss_vector_string
.
Can be one of: critical
, high
, medium
, low
, null
cvss_vector_string
string or null The CVSS vector that calculates the severity of the advisory. You must choose between setting this field or severity
.
HTTP response status codes for "Create a repository security advisory"
Status code | Description |
---|---|
201 | Created |
403 | Forbidden |
404 | Resource not found |
422 | Validation failed, or the endpoint has been spammed. |
Code samples for "Create a repository security advisory"
curl -L \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/OWNER/REPO/security-advisories \
-d '{"summary":"A new important advisory","description":"A more in-depth description of what the problem is.","severity":"high","cve_id":null,"vulnerabilities":[{"package":{"name":"a-package","ecosystem":"npm"},"vulnerable_version_range":"< 1.0.0","patched_versions":"1.0.0","vulnerable_functions":["important_function"]}],"cwe_ids":["CWE-1101","CWE-20"],"credits":[{"login":"monalisa","type":"reporter"},{"login":"octocat","type":"analyst"}]}'
Response
Status: 201
{
"ghsa_id": "GHSA-abcd-1234-efgh",
"cve_id": "CVE-2050-00000",
"url": "https://api.github.com/repos/repo/a-package/security-advisories/GHSA-abcd-1234-efgh",
"html_url": "https://github.com/repo/a-package/security/advisories/GHSA-abcd-1234-efgh",
"summary": "A short summary of the advisory.",
"description": "A detailed description of what the advisory entails.",
"severity": "critical",
"author": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"publisher": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"identifiers": [
{
"type": "GHSA",
"value": "GHSA-abcd-1234-efgh"
},
{
"type": "CVE",
"value": "CVE-2050-00000"
}
],
"state": "published",
"created_at": "2020-01-01T00:00:00Z",
"updated_at": "2020-01-02T00:00:00Z",
"published_at": "2020-01-03T00:00:00Z",
"closed_at": null,
"withdrawn_at": null,
"submission": null,
"vulnerabilities": [
{
"package": {
"ecosystem": "pip",
"name": "a-package"
},
"vulnerable_version_range": ">= 1.0.0, < 1.0.1",
"patched_versions": "1.0.1",
"vulnerable_functions": [
"function1"
]
},
{
"package": {
"ecosystem": "pip",
"name": "another-package"
},
"vulnerable_version_range": ">= 1.0.0, < 1.0.2",
"patched_versions": "1.0.2",
"vulnerable_functions": [
"function2"
]
}
],
"cvss": {
"vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"score": 9.8
},
"cwes": [
{
"cwe_id": "CWE-123",
"name": "A CWE"
}
],
"cwe_ids": [
"CWE-123"
],
"credits": [
{
"login": "octocat",
"type": "analyst"
}
],
"credits_detailed": [
{
"user": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"type": "analyst",
"state": "accepted"
}
]
}
Privately report a security vulnerability
Report a security vulnerability to the maintainers of the repository. See "Privately reporting a security vulnerability" for more information about private vulnerability reporting.
Parameters for "Privately report a security vulnerability"
Headers | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Name, Type, Description | |||||||||||||||
accept string Setting to | |||||||||||||||
Path parameters | |||||||||||||||
Name, Type, Description | |||||||||||||||
owner string RequiredThe account owner of the repository. The name is not case sensitive. | |||||||||||||||
repo string RequiredThe name of the repository. The name is not case sensitive. | |||||||||||||||
Body parameters | |||||||||||||||
Name, Type, Description | |||||||||||||||
summary string RequiredA short summary of the advisory. | |||||||||||||||
description string RequiredA detailed description of what the advisory impacts. | |||||||||||||||
vulnerabilities array of objects or null An array of products affected by the vulnerability detailed in a repository security advisory. | |||||||||||||||
Properties of |
Name, Type, Description | ||||||
---|---|---|---|---|---|---|
package object RequiredThe name of the package affected by the vulnerability. | ||||||
Properties of |
Name, Type, Description |
---|
ecosystem string RequiredThe package's language or package management ecosystem. Can be one of: |
name string or null The unique package name within its ecosystem. |
vulnerable_version_range
string or null The range of the package versions affected by the vulnerability.
patched_versions
string or null The package version(s) that resolve the vulnerability.
vulnerable_functions
array of strings or null The functions in the package that are affected.
cwe_ids
array of strings or null A list of Common Weakness Enumeration (CWE) IDs.
severity
string or null The severity of the advisory. You must choose between setting this field or cvss_vector_string
.
Can be one of: critical
, high
, medium
, low
, null
cvss_vector_string
string or null The CVSS vector that calculates the severity of the advisory. You must choose between setting this field or severity
.
HTTP response status codes for "Privately report a security vulnerability"
Status code | Description |
---|---|
201 | Created |
403 | Forbidden |
404 | Resource not found |
422 | Validation failed, or the endpoint has been spammed. |
Code samples for "Privately report a security vulnerability"
curl -L \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/OWNER/REPO/security-advisories/reports \
-d '{"summary":"A newly discovered vulnerability","description":"A more in-depth description of what the problem is.","severity":"high","vulnerabilities":[{"package":{"name":"a-package","ecosystem":"npm"},"vulnerable_version_range":"< 1.0.0","patched_versions":"1.0.0","vulnerable_functions":["important_function"]}],"cwe_ids":["CWE-123"]}'
Response
Status: 201
{
"ghsa_id": "GHSA-abcd-1234-efgh",
"cve_id": "CVE-2050-00000",
"url": "https://api.github.com/repos/repo/a-package/security-advisories/GHSA-abcd-1234-efgh",
"html_url": "https://github.com/repo/a-package/security/advisories/GHSA-abcd-1234-efgh",
"summary": "A newly discovered vulnerability",
"description": "A more in-depth description of what the problem is.",
"severity": "high",
"author": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"publisher": null,
"identifiers": [
{
"type": "GHSA",
"value": "GHSA-abcd-1234-efgh"
},
{
"type": "CVE",
"value": null
}
],
"state": "triage",
"created_at": "2020-01-01T00:00:00Z",
"updated_at": "2020-01-02T00:00:00Z",
"published_at": null,
"closed_at": null,
"withdrawn_at": null,
"submission": {
"accepted": false
},
"vulnerabilities": [
{
"package": {
"ecosystem": "npm",
"name": "a-package"
},
"vulnerable_version_range": "< 1.0.0",
"patched_versions": "1.0.0",
"vulnerable_functions": [
"important_function"
]
}
],
"cvss": null,
"cwes": [
{
"cwe_id": "CWE-123",
"name": "A CWE"
}
],
"cwe_ids": [
"CWE-123"
],
"credits": [
{
"login": "octocat",
"type": "finder"
}
],
"credits_detailed": [
{
"user": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"type": "finder",
"state": "accepted"
}
]
}
Get a repository security advisory
Get a repository security advisory using its GitHub Security Advisory (GHSA) identifier.
You can access any published security advisory on a public repository.
You must authenticate using an access token with the repo
scope or repository_advisories:read
permission
in order to get a published security advisory in a private repository, or any unpublished security advisory that you have access to.
You can access an unpublished security advisory from a repository if you are a security manager or administrator of that repository, or if you are a collaborator on the security advisory.
Parameters for "Get a repository security advisory"
Headers |
---|
Name, Type, Description |
accept string Setting to |
Path parameters |
Name, Type, Description |
owner string RequiredThe account owner of the repository. The name is not case sensitive. |
repo string RequiredThe name of the repository. The name is not case sensitive. |
ghsa_id string RequiredThe GHSA (GitHub Security Advisory) identifier of the advisory. |
HTTP response status codes for "Get a repository security advisory"
Status code | Description |
---|---|
200 | OK |
403 | Forbidden |
404 | Resource not found |
Code samples for "Get a repository security advisory"
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/OWNER/REPO/security-advisories/GHSA_ID
Response
Status: 200
{
"ghsa_id": "GHSA-abcd-1234-efgh",
"cve_id": "CVE-2050-00000",
"url": "https://api.github.com/repos/repo/a-package/security-advisories/GHSA-abcd-1234-efgh",
"html_url": "https://github.com/repo/a-package/security/advisories/GHSA-abcd-1234-efgh",
"summary": "A short summary of the advisory.",
"description": "A detailed description of what the advisory entails.",
"severity": "critical",
"author": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"publisher": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"identifiers": [
{
"type": "GHSA",
"value": "GHSA-abcd-1234-efgh"
},
{
"type": "CVE",
"value": "CVE-2050-00000"
}
],
"state": "published",
"created_at": "2020-01-01T00:00:00Z",
"updated_at": "2020-01-02T00:00:00Z",
"published_at": "2020-01-03T00:00:00Z",
"closed_at": null,
"withdrawn_at": null,
"submission": null,
"vulnerabilities": [
{
"package": {
"ecosystem": "pip",
"name": "a-package"
},
"vulnerable_version_range": ">= 1.0.0, < 1.0.1",
"patched_versions": "1.0.1",
"vulnerable_functions": [
"function1"
]
},
{
"package": {
"ecosystem": "pip",
"name": "another-package"
},
"vulnerable_version_range": ">= 1.0.0, < 1.0.2",
"patched_versions": "1.0.2",
"vulnerable_functions": [
"function2"
]
}
],
"cvss": {
"vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"score": 9.8
},
"cwes": [
{
"cwe_id": "CWE-123",
"name": "A CWE"
}
],
"cwe_ids": [
"CWE-123"
],
"credits": [
{
"login": "octocat",
"type": "analyst"
}
],
"credits_detailed": [
{
"user": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"type": "analyst",
"state": "accepted"
}
]
}
Update a repository security advisory
Update a repository security advisory using its GitHub Security Advisory (GHSA) identifier.
You must authenticate using an access token with the repo
scope or repository_advisories:write
permission to use this endpoint.
In order to update any security advisory, you must be a security manager or administrator of that repository, or a collaborator on the repository security advisory.
Parameters for "Update a repository security advisory"
Headers | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Name, Type, Description | |||||||||||||||
accept string Setting to | |||||||||||||||
Path parameters | |||||||||||||||
Name, Type, Description | |||||||||||||||
owner string RequiredThe account owner of the repository. The name is not case sensitive. | |||||||||||||||
repo string RequiredThe name of the repository. The name is not case sensitive. | |||||||||||||||
ghsa_id string RequiredThe GHSA (GitHub Security Advisory) identifier of the advisory. | |||||||||||||||
Body parameters | |||||||||||||||
Name, Type, Description | |||||||||||||||
summary string A short summary of the advisory. | |||||||||||||||
description string A detailed description of what the advisory impacts. | |||||||||||||||
cve_id string or null The Common Vulnerabilities and Exposures (CVE) ID. | |||||||||||||||
vulnerabilities array of objects A product affected by the vulnerability detailed in a repository security advisory. | |||||||||||||||
Properties of |
Name, Type, Description | ||||||
---|---|---|---|---|---|---|
package object RequiredThe name of the package affected by the vulnerability. | ||||||
Properties of |
Name, Type, Description |
---|
ecosystem string RequiredThe package's language or package management ecosystem. Can be one of: |
name string or null The unique package name within its ecosystem. |
vulnerable_version_range
string or null The range of the package versions affected by the vulnerability.
patched_versions
string or null The package version(s) that resolve the vulnerability.
vulnerable_functions
array of strings or null The functions in the package that are affected.
cwe_ids
array of strings or null A list of Common Weakness Enumeration (CWE) IDs.
credits
array of objects or null A list of users receiving credit for their participation in the security advisory.
Properties of credits
Name, Type, Description |
---|
login string RequiredThe username of the user credited. |
type string RequiredThe type of credit the user is receiving. Can be one of: |
severity
string or null The severity of the advisory. You must choose between setting this field or cvss_vector_string
.
Can be one of: critical
, high
, medium
, low
, null
cvss_vector_string
string or null The CVSS vector that calculates the severity of the advisory. You must choose between setting this field or severity
.
state
string The state of the advisory.
Can be one of: published
, closed
, draft
HTTP response status codes for "Update a repository security advisory"
Status code | Description |
---|---|
200 | OK |
403 | Forbidden |
404 | Resource not found |
422 | Validation failed, or the endpoint has been spammed. |
Code samples for "Update a repository security advisory"
curl -L \
-X PATCH \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/OWNER/REPO/security-advisories/GHSA_ID \
-d '{"severity":"critical","state":"published"}'
Response
Status: 200
{
"ghsa_id": "GHSA-abcd-1234-efgh",
"cve_id": "CVE-2050-00000",
"url": "https://api.github.com/repos/repo/a-package/security-advisories/GHSA-abcd-1234-efgh",
"html_url": "https://github.com/repo/a-package/security/advisories/GHSA-abcd-1234-efgh",
"summary": "A short summary of the advisory.",
"description": "A detailed description of what the advisory entails.",
"severity": "critical",
"author": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"publisher": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"identifiers": [
{
"type": "GHSA",
"value": "GHSA-abcd-1234-efgh"
},
{
"type": "CVE",
"value": "CVE-2050-00000"
}
],
"state": "published",
"created_at": "2020-01-01T00:00:00Z",
"updated_at": "2020-01-02T00:00:00Z",
"published_at": "2020-01-03T00:00:00Z",
"closed_at": null,
"withdrawn_at": null,
"submission": null,
"vulnerabilities": [
{
"package": {
"ecosystem": "pip",
"name": "a-package"
},
"vulnerable_version_range": ">= 1.0.0, < 1.0.1",
"patched_versions": "1.0.1",
"vulnerable_functions": [
"function1"
]
},
{
"package": {
"ecosystem": "pip",
"name": "another-package"
},
"vulnerable_version_range": ">= 1.0.0, < 1.0.2",
"patched_versions": "1.0.2",
"vulnerable_functions": [
"function2"
]
}
],
"cvss": {
"vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"score": 9.8
},
"cwes": [
{
"cwe_id": "CWE-123",
"name": "A CWE"
}
],
"cwe_ids": [
"CWE-123"
],
"credits": [
{
"login": "octocat",
"type": "analyst"
}
],
"credits_detailed": [
{
"user": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"type": "analyst",
"state": "accepted"
}
]
}