Add support for disabling the use of the vulnerability management endpoint #1022
Conversation
There was a problem hiding this comment.
I really like this PR as it opens us up to more use cases and I've had friction with inconsistent vulnerability alert support across environments in the past.
I suggest we generalize ignore_vulnerability_alerts_during_read to something like privileged so we can reuse the flag for other cases that may arise or already exist.
Keeping this queued for an upcoming release for now in case there is more input from the community. Overall on board though and anticipate this shipping this quarter.
|
I think if we want to use a generic and overloaded term such as |
|
I'm a bit confused why the checks aren't running on this PR. Maybe they'll trigger with a comment? |
There was a problem hiding this comment.
I'm dumb; the checks weren't running because they didn't exist at the point when this PR was opened. I've now updated this branch with main and made a small change for gofmt purposes.
I agree with @majormoses regarding the term privileged, and I think it makes sense to take this as-is now and adjust the flag later if need be.
…point (integrations#1022) * Add support for disabling the use of the vulnerability management endpoint * Run make lint Co-authored-by: Keegan Campbell <me@kfcampbell.com>
…point (integrations#1022) * Add support for disabling the use of the vulnerability management endpoint * Run make lint Co-authored-by: Keegan Campbell <me@kfcampbell.com>
This PR adds a flag to disable reading the GetVulnerabilityAlerts alerts endpoint on refresh which prevents terraform from running least privileges in the plan phase.
The endpoint
GET /repos/:owner/:repo/vulnerability-alertsneeds administration :write permissions when using a Github App to deploy. In the plan phase this is unwanted because it forces us to expose high privileged secrets to branch builds rather than just to the main build.