You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
My github org is currently receiving many webhooks of the security_advisory.published type. My understanding is that these advisories are general in nature and are not necessarily received due to a specific package being used within an org (please correct me if wrong).
The reason I'm raising this is that there appear to be many junk malware type advisories being pushed out through the database:
These advisories would need to be reviewed before being sent out, is that correct? An interesting note is that these events are also all failing the X-Hub-Signature-256 check for the github app installed in my org receiving the webhook events
The text was updated successfully, but these errors were encountered:
robase
changed the title
Many security_advisory.published events originating from similar npm packages and failing
Many security_advisory.published failing webhook events originating from similar npm packages
Jul 4, 2024
The npm malware advisories are correlated with malware takedowns performed by the npm team. The idea is to alert anyone who may have downloaded the malware before it got pulled from the npm registry. In that sense they are reviewed and not junk.
An interesting note is that these events are also all failing the X-Hub-Signature-256
That's certainly curious. I'll share that around 👍
My github org is currently receiving many webhooks of the
security_advisory.published
type. My understanding is that these advisories are general in nature and are not necessarily received due to a specific package being used within an org (please correct me if wrong).The reason I'm raising this is that there appear to be many junk
malware
type advisories being pushed out through the database:see: https://github.com/advisories?query=type%3Amalware
example advisory: GHSA-hh4g-p2q6-7fvj
These advisories would need to be reviewed before being sent out, is that correct? An interesting note is that these events are also all failing the
X-Hub-Signature-256
check for the github app installed in my org receiving the webhook eventsThe text was updated successfully, but these errors were encountered: