The more you do something the easier it is to do. There is nothing wrong with it no longer feeling like an alert.
That is almost the definition of alert fatigue. The problem is tools presenting minor issues as major ones because they might be a major issue in certain circumstances. Then supposedly major alerts start to feel normal, and when there is an actually major alert nobody has a sense of urgency about it.
I've never used GitHubs version of this, but I've used others and as someone who only develops internal tools I wish there was an setting for "I mostly trust my authenticated users." Which I think would downgrade "possible DOS from a specially crafted regex from an authenticated user."
>Then supposedly major alerts start to feel normal
Major alerts should feel normal. I should have said that you shouldn't feel alarmed instead of suggesting that it shouldn't be treated as an event. Maybe that doesn't quite capture what I mean, but you should get the picture. You should be prepared to handle them. Unfortunately, security defects are to be expected and it shouldn't be a surprise that they might exist in your system.
>and when there is an actually major alert nobody has a sense of urgency about it.
Why? You should be urgent with all security issues. You shouldn't have people putting off security updates because they are minor.
Sure, but it's like the boy who cried wolf. If the tool keeps saying things are a bigger issue than they are, then people will stop believing the tool.
See also almost every oil refinery catastrophe. "It's normal for that alarm to go off/to not go off, or for that minor leak to flare up from time to time" and then one day the ignored or missed alert could've prevented death.
That is almost the definition of alert fatigue. The problem is tools presenting minor issues as major ones because they might be a major issue in certain circumstances. Then supposedly major alerts start to feel normal, and when there is an actually major alert nobody has a sense of urgency about it.
I've never used GitHubs version of this, but I've used others and as someone who only develops internal tools I wish there was an setting for "I mostly trust my authenticated users." Which I think would downgrade "possible DOS from a specially crafted regex from an authenticated user."