GitHub Advanced Security Parser Migration: CLv2 Compatibility and Schema Updates

What Changed

Version 3.2.1 addresses critical compatibility issues with the GitHub CLv2 ingestion migration. The update fixes three core parsers (GitHubCodeScanningData, GitHubDependabotData, GitHubSecretScanningData) and both workbooks to properly handle the new GitHubAdvancedSecurityAlerts_CL table schema while maintaining backward compatibility with existing githubscanaudit_CL deployments.

Security Impact (Visibility & Fidelity)

Deployments using the newer GitHub Webhook V2 connector (CLv2/Logs Ingestion API) experienced broken visibility for GitHub Advanced Security alerts since the v3.2.0 release. The parsers were hardcoded to query only the legacy githubscanaudit_CL table, causing zero results from the new GitHubAdvancedSecurityAlerts_CL table.

Impact scope:

• Code scanning vulnerability alerts were not being parsed
• Dependabot security alerts returned null for key fields (external_identifier, severity)
• Secret scanning alerts were completely invisible to workbook queries
• Workbook tiles showed zero activity despite active GitHub security events

Parser Impact

Updated schema compatibility:

GitHubCodeScanningData: Now uses the unified githubscanaudit parser and adds event_s == code_scanning_alert detection for CLv2 events alongside legacy action_s filtering.

GitHubDependabotData: Enhanced with robust field mapping using coalesce() to handle schema differences:

• alertexternalidentifier: coalesce(alert.external_identifier, alert.security_advisory.ghsa_id, tostring(alert.number))
• alertseverity: coalesce(alert.severity, alert.security_advisory.severity)
• Supports both create and created action values

GitHubSecretScanningData: Adds event_s == secret_scanning_alert detection and includes alertresolveddate field for CLv2 compatibility.

All parsers now query the githubscanaudit union parser instead of directly accessing githubscanaudit_CL, ensuring automatic compatibility with both V1 and V2 table structures.

Deployment Notes

This is a data fidelity fix, not a cosmetic update. Existing workbooks and analytics that rely on GitHub security data were returning incomplete results for CLv2 deployments. The fix ensures consistent field names and alert detection across both ingestion methods.

Affected Files

Solutions/GitHub/Data Connectors/GithubWebhookV2/GithubWebhookV2_API_FunctionApp.json
Solutions/GitHub/Data Connectors/GithubWebhookV2/README.md
Solutions/GitHub/Parsers/GitHubCodeScanningData.yaml
Solutions/GitHub/Parsers/GitHubDependabotData.yaml
Solutions/GitHub/Parsers/GitHubSecretScanningData.yaml
Solutions/GitHub/Workbooks/GitHub.json
Solutions/GitHub/Workbooks/GitHubAdvancedSecurity.json
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.2.1.zip, ReleaseNotes.md, Solution_GitHub.json, mainTemplate.json)