Assignable alerts for code scanning and secret scanning are now in public preview

[samus-aran]

Starting today, you can now assign users directly to both code scanning and secret scanning alerts. Now available in public preview, assignable alerts empower teams and individuals to:

• Take direct ownership of specific security issues
• Track remediation work within GitHub, integrating alert management with regular development tasks
• Accelerate remediation cycles and developer engagement by making responsibility clear and actionable

Alert assignees are available to customers with GitHub Code Security, GitHub Secret Protection, or GitHub Advanced Security.

Together, these updates move teams from simply finding vulnerabilities to actually fixing them—helping organizations reduce risk and remediate security debt faster, all within GitHub.

[felsteadd]

Great feature! It would be useful if the multi-select options in list view would allow bulk assignment and also if the REST API ${BASE_URL}/repos/${ORG}/${REPO}/code-scanning/alerts/${alert.number} would accept assignee in the PATCH payload to allow scripting the assignment of alerts.

[jf205]

Hi @felsteadd

Thanks for the feedback. API support for updating the alert assignee is very much on our radar. When we have a firm timeline it'll appear on the GitHub public roadmap 👍🏻

[linhhuynh2]

I was assigned this password but no longer need this. Please remove.

[wreiske]

This is great! I was sad to see that Copilot wasn't an option to assign to. It would be awesome if I could just assign Copilot a security alert and it could go create a PR to fix it.

[jf205]

Hi @wreiske

I totally agree that this would be awesome. We are always thinking about ways to make it easier to resolve security alerts and i think this would be a big difference. Definitely something for us to work on!

[jsoref]

I'd like to be able to filter by assignee using the drop down section...

Here's an alert:

Here's an alert with me as an assignee (note that I'd like to be able to filter on assignees other than me as well as alerts without an assignee):

Here are some alerts in a repository (for a PR...):

It turns out I can filter by using assignee:...

And I can exclude using -assignee:...

But having to add each and every possible user to a list of -assignee:... would be rather painful. -- I'd much rather be able to select (unassigned) and preferably from a dropdown -- compare the issues filter:

[jf205]

Hi @jsoref

Thanks for the feedback. We'll look into this!

[cedriclecoz]

Great feature! is there a way for the assignee to receive a notification of the assignment ?

[jf205]

Hi @cedriclecoz

At the moment only secret scanning alert assignees are notified, but we are going to add notifications for code scanning alert assignees as soon as possible. I hope that helps!

[utsav-bhagat]

It would be super beneficial if there was a way to assign teams also, instead of only one individual.
This would help assignments when working in large orgs.

[jf205]

Thanks for the feedback @utsav-bhagat. For now, code scanning alerts support up to 10 assignees and secret scanning alerts support a single assignee -- but team assignment is something we are thinking about adding in the future 👍🏻

[jsoref]

Is that 10 assignees per alert or 10 assignees for all code scanning alerts in a repository?

[jf205]

@jsoref: it's 10 assignees per code scanning alert

[utsav-bhagat]

@jf205 sweet, will keep an eye out for the new feature.

[mawrer-ramirez-driscolls]

This is a good feature, with this we can track the alerts directly here without Jira tickets or Issues, but if a developer have assigned multiple alerts and he already submit the alert for review, should be good have in the screen where all the Alerts are listed the status, if the alert is waiting approval or was not submitted yet.
Should be good have an option to stablish a default assignee for all the alerts per repo, we have Repository Owners, in that way we can define per repo who should get assigned automatically for new alerts.
As other mentioned multiple assignees is not working.

[jf205]

Hey @mawrer-ramirez-driscolls

Thanks for the feedback. We have improvements planned in the near futures, so please keep watching for more announcements!

[shahviral005]

GitHub currently provide public APIs to collect collaborators for repositories but in case we need maintainer/secret owner directly in GitHub Secret Dashboard is there any way from UI or API. Currently we have to check manually for each repo for secret owner/maintainer and send communications via email. Considering the number of secrets are high maintaining secret owner/maintainer is difficult.

[dopeytree]

be useful to be able to scan current main branch to see if fixed or not etc