GitHub is a great place to store the data for security advisories, and pull requests/commits are a relatively good flow for creating new advisories. However, a database of YAML files isn't the easiest thing in the world to query!

We should build a web API that pulls in the data from here and serves it over HTTP. Ideally that service would also allow integrators to sign up for webhooks, so they're alerted as soon as a new vulnerability is disclosed.

Note: the code for this API probably shouldn't live in this repo. Integrators who are pulling data directly from this repo are almost certainly polling it to check what the latest commit is, and triggering a refresh of their data based on that. If we build a full-blown application in the repo we'll create lots of unnecessary noise for them.

I'm currently working on a little side project to help build this one. I'll soon share a repo as a base of discussion.

@greysteil I published a first WIP of the API here: https://github.com/ex-security-advisory/api

This probably contains a lot of bugs, is not stable and has currently not a single test. It should be sufficient for a discussing, however.

The API provides a REST and a GraphQL interface.

Please have a look and tell me what you think here: ex-security-advisory/api#1

@greysteil Did you already have time to look at my proposal? I'm eager to get some feedback on the project.

This is awesome!

I'm not the right person to look through the code (my Elixir is woeful), but have been playing with the API in postman - nice work!

Really like the revisions - making use of the commits like that feels really smart.

Have added a link across from the readme, and I'm going to close this to avoid confusion. Will pick up discussion over on your repo. 🙂