GitHub code scanning customers can now require a review process before dismissing alerts, helping you manage security risks as well as meet audit and compliance requirements.

What’s new

  • Provide a comment when approving/rejecting alert dismissal requests.
  • Manage and review dismissal requests across all organizations at the enterprise level, using the security tab in your enterprise’s UI. You’ll need to be an enterprise owner to view and manage these requests.
  • Access and manage alert dismissal requests using the REST API, making it easier to integrate triage and reviews into your existing workflows.

REST API endpoints for reviewers

  • Create dismissal requests:

    PATCH /repos/{owner}/{repo}/code-scanning/alerts/{alert_number}

  • Retrieve dismissal requests for an organization or repository:

    GET /orgs/{org}/dismissal-requests/code-scanning
GET /repos/{owner}/{repo}/dismissal-requests/code-scanning
GET /repos/{owner}/{repo}/dismissal-requests/code-scanning/{alert_number}
  • Review dismissal requests:

    PATCH /repos/{owner}/{repo}/dismissal-requests/code-scanning/{alert_number}

The REST API is not available at the enterprise level.

Permissions and roles

Previously, only organization owners and security managers could review dismissal requests. Now, you can assign the different types of permissions to custom roles at the organization level, making it easier to delegate alert review responsibilities to the right people. Individuals assigned custom roles will only see requests for repositories they have access to:

  • View code scanning alert dismissal requests allow to see the requests but cannot act on them.
  • Review code scanning alert dismissal requests allow approve/reject requests.
  • Bypass code scanning alert dismissal requests allows a user to self-approve its own requests.

To learn more about code scanning alert dismissal requests, view our documentation.