The GitHub Links macro can display GitHub security alerts directly in Confluence, making it easy to reference vulnerabilities in incident reports, retrospectives, or security documentation.
Supported security link types
|
Alert type |
URL pattern |
What is displayed |
|---|---|---|
|
Dependabot alert |
|
Severity, summary, package name, state (Open / Fixed / Dismissed) |
|
Code Scanning alert |
|
Severity, rule description, tool name, state (Open / Fixed / Dismissed) |
|
Security Advisory |
|
Severity, summary, GHSA identifier, state (Published / Closed / Draft) |
Dependabot alerts
Dependabot alerts work with the default GitHub App permissions - no extra setup required. Paste the alert URL directly onto a Confluence page.
Code Scanning alerts
Code Scanning alerts require the Code scanning alerts (read) permission. Without it the macro displays: "Additional GitHub App permission required - grant 'Code scanning alerts' (read) and re-approve the app to display this alert."
If you see a permission error, contact your Confluence administrator to approve the Code scanning alerts permission on the GitHub App installation.
Security Advisories
Security Advisories require the Repository security advisories (read) permission. Without it the macro displays: "Additional GitHub App permission required - grant 'Repository security advisories' (read) and re-approve the app to display this advisory."
If you see a permission error, contact your Confluence administrator to approve the Repository security advisories permission on the GitHub App installation.
For a full overview of GitHub App permissions and how to manage organisation access, see Managing GitHub App permissions and organisation access.
Use cases
-
Incident documentation - embed a specific Dependabot or Code Scanning alert in your incident report to link the vulnerability directly to the response timeline
-
Sprint retrospectives - reference unresolved security alerts alongside PR and issue data in your retro page
-
Security runbooks - embed advisory details in your response playbooks so the team has full context without leaving Confluence
Updated: