Open Bug 2038058 Opened 4 days ago Updated 15 hours ago

Add GitHub permissions to mozilla-blender app

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task

Tracking

(Not tracked)

People

(Reporter: groovecoder, Unassigned)

Details

The mozilla-blender GitHub App needs two additional permissions for its new security alert investigation workflow.

New permissions requested:

  • vulnerability_alerts: write — BLEnder investigates Dependabot security alerts and dismisses unaffected ones (opt-in per repo, low/medium severity only; high/critical require human review)
  • security_events: write — When a vulnerability does affect the codebase, BLEnder creates a security advisory with a private fork for remediation

Context:

BLEnder already has contents: write and pull_requests: write (approved in bug 2030967). The new workflow extends BLEnder from fixing Dependabot PRs to triaging Dependabot security alerts. It clones the target repo, runs Claude Code in a sandbox to determine whether the vulnerable code is used, then takes action based on the verdict.

RRA follow-up meeting notes added to the existing RRA doc.

Safety controls:

  • dismiss_unaffected defaults to false; repos must opt in via .blender/blender.yml
  • High and critical severity alerts are never auto-dismissed — they require human review
  • Dismissed alerts include a BLEnder: prefix comment for auditability
  • Each investigation produces an HTML report uploaded as a workflow artifact (redacted for affected alerts to avoid leaking exploitability details)

Approved

Woo, thanks @Clovis!

:ctb - is this something you can do for us?

Flags: needinfo?(cbrentano)

(In reply to Luke Crouch [:groovecoder] from comment #2)

Woo, thanks @Clovis!

:ctb - is this something you can do for us?

It appears that for vulnerability_alerts write permission I have to give the app r/w access to administration (as mentioned in https://docs.github.com/en/rest/repos/repos?apiVersion=2026-03-10#enable-vulnerability-alerts)

I don't see a thing in the web UI that mentions security_events permission, but I keep finding stuff in the docs (or when I ask Copilot, heh) that does:

Open your GitHub App settings: go to https://docs.github.com/en/apps/maintaining-github-apps/modifying-a-github-app-registration and follow "Navigating to your GitHub App settings" to reach the app you want to modify.

In the app settings sidebar click Permissions & events.

Under the appropriate permissions section (Repository, Organization, or Account) find the permission that controls security/webhook access (look for the permission labeled like security_events, Security events, or the security-related permission your app needs) and change its access level to Write.

I just don't see it, unless I'm missing it. Luke since you're an app manager would you mind taking a look in case I'm just not seeing it? https://github.com/organizations/mozilla/settings/apps/mozilla-blender/permissions

Flags: needinfo?(cbrentano) → needinfo?(lcrouch)

I think we just need read + write on these:

  • Dependabot alerts (Retrieve Dependabot alerts.)
  • Repository security advisories (View and manage repository security advisories.)
Flags: needinfo?(lcrouch) → needinfo?(cbrentano)

Great, thanks! Updated and applied.

Flags: needinfo?(cbrentano)
You need to log in before you can comment on or make changes to this bug.