No vulnerability alert event?

[hectorsector]

It doesn't look like there's an API endpoint we can access (yet) regarding vulnerability alerts, but we should at least be receiving information about them via the repository_vulnerability_alert event. However, even when creating new vulnerabilities, and fixing those vulnerabilities, I'm not seeing that event come through in smee. The only issue I can think of is enabling previews -- but maybe I'm missing something else?

@JasonEtco could you help me understand what's going on?

[JasonEtco]

@hectorsector if you're not seeing it in Smee, then its likely that your app (and our production app) doesn't have the correct permissions and webhook events enabled for Security Alerts.

Those came out after the LL went GA and we set those permissions. For your own GitHub App you could fix it via the app's settings - for our production app, I'd like to add those permissions as part of https://github.com/github/learning-engineering/issues/10

[hectorsector]

Thanks @JasonEtco. I'm looking in my own app, and I only see a read-only permission for vulnerability alerts, and no event that sounds like repository_vulnerability_alert. Is this where I'm supposed to be looking?

[JasonEtco]

@hectorsector thanks for the screenshot - I see there that you do have Security vulnerability alerts: Read, so the webhook event should be showing up at the bottom 🤔 I'm not sure why it isn't.

[hectorsector]

🙈 do you see it for your own apps? Whom can I ask?

[brianamarie]

Thank you for this @hectorsector & @JasonEtco. I think for now, I'm considering changing the flow so we don't check for a specific version, but rather check that the the correct line is being updated, and we can hope that's a good enough check until we can solve the bigger problem.

I'll commit that now, but I think this is still something we should work on for an improvement, and it takes the urgency off of it.

[brianamarie]

This is being followed up on in #91.