Auto-triage rules for Dependabot #54290
Replies: 17 comments 37 replies
-
We are on GHEC, and like the ability to be able to enable Dependabot at an org level. Will you consider adding an option to allow organisation administrators to enable auto-dismissal across all repositories, rather than having to do this on a repo-by-repo basis? |
Beta Was this translation helpful? Give feedback.
-
Would love to see support for |
Beta Was this translation helpful? Give feedback.
-
HI @erinhav 👋
|
Beta Was this translation helpful? Give feedback.
-
This is a great feature which would help us to reduce alert noise. However, after I enabled the auto-dismiss feature for a private repo, I was surprised to discover after a few days that dependabot had auto-dismissed all open alerts (besides NPM also PIP dependencies which are not even supported according to the docs). I looked at a few alerts to see if the CWEs match the published low impact list but also failed to see a match there. Something clearly seems to be wrong here! Regarding alert custom rules: It would be great to have the option to auto-dismiss alerts of certain severity levels (e.g. everything low or moderate), configurable per repository and ideally also being able to set an organization default. |
Beta Was this translation helpful? Give feedback.
-
Dependabot’s new auto-dismissal feature is a great addition to the tool. It helps to reduce the number of alerts that need immediate assessment, without compromising on any potentially concerning alerts. This feature is made possible by GitHub-curated vulnerability patterns, which take into account contextual information about how you’re using the dependency in order to substantially reduce the number of alerts that make it to your inbox. The initial release focuses on a subset of low impact development-scoped (devDependency) alerts for npm. If you’ve had a chance to try out the beta feature, GitHub would love to hear your feedback on what’s working for you, what needs to change, and which cases of vulnerabilities you’d like them to tackle next! Additionally, custom alert rules are also being introduced, allowing users to write their own logic in order to let Dependabot know which alerts should get a Dependabot pull request, and perhaps even which high-risk alerts should be auto-merged after passing built-in guardrails. This is an exciting development and I’m looking forward to seeing how it evolves! Is there anything else you would like to know? 😊 |
Beta Was this translation helpful? Give feedback.
-
This is a highly desirable feature for us since dependabot has been generating a lot of noise with false positives and with it some friction with developers - however rolling this out on a repo by repo basis is problematic for us (few thousand repos) - what's the timeline to have this available as an org-level UI setting OR exposed at REST API level? |
Beta Was this translation helpful? Give feedback.
-
I haven't seen how to turn this on, but from the blog post it sounds like we could maybe say certain sub dependencies, or dev vs prod, can be auto dismissed. I think that is not going to be enough. What I would like to be able to say is something like
So say my list of acceptable root dependencies is Package A Package B Package C Also, I would like to be able to set this up at the org level. |
Beta Was this translation helpful? Give feedback.
-
Could this functionality be enhanced for general dependency handling regardless of security implications? E.g. we keep getting dependabot alerts about latest version of @types/node (20.x.x) even though we're using Node v18 (LTS). So we would like to suppress alerts and have visibility on those suppressions. The current workflow of searching for |
Beta Was this translation helpful? Give feedback.
-
I would loke to have an OR operator in rule's criteria field. Something like: |
Beta Was this translation helpful? Give feedback.
-
Dependabot keeps flagging older versions that are in my NuGet migration backups. We are on the current version but get these false positives from our backups. It's a nuisance warning. |
Beta Was this translation helpful? Give feedback.
-
It doesn't seem to catch much in my Ruby or PHP based repositories. Would be good if it did more for those. But, for NuGet and .NET it works great. |
Beta Was this translation helpful? Give feedback.
-
I don't know if this is the right place to report this, but I have a problem that GitHub considers all dependencies as "runtime dependencies", even though they are only included as transitive dependencies of |
Beta Was this translation helpful? Give feedback.
-
@carogalvin A realization that I am having is that I would like to be able to apply dependabot rules to specific repos based on property or tags. This way I can auto create dependabot PRs for only my Production tagged repos as an example or entirely close out alerts for sandbox repos. |
Beta Was this translation helpful? Give feedback.
-
I'd love the ability to be able to ignore certain directories from Dependabot. For instance with WordPress sites you'd want to ignore the /plugins/ directory since that code is really managed by a separate team. But you'd still want to know about warnings from code your team owns. |
Beta Was this translation helpful? Give feedback.
-
I would love a preset for disabling the DDoS kind of security alerts. For eg. all dev tool projects I don't want to get DDoS-related notifications. I may have managed to solve it through this one, but there are likely more CWE-numbers than that one: |
Beta Was this translation helpful? Give feedback.
-
While working on Organization-level rules, we found a limitation. If we are working on a new rule that we'd like to eventually roll out to some of our repos, we don't have a way to do that. We have to |
Beta Was this translation helpful? Give feedback.
-
Noticed after enabling the default Dependabot auto-triage rule that critical updates were being dismissed. In this case, a prototype pollution vulnerability in |
Beta Was this translation helpful? Give feedback.
-
What do you think about Dependabot's new auto-triage feature?
At GitHub, we’ve been thinking deeply about how to responsibly address long-running issues around alert fatigue and false positives. Rather than over-indexing on one or two criteria like reachability or dependency scope, we believe that a responsibly-designed solution should be able to detect and reason on a rich set of complex, contextual alert metadata.
That’s why, moving forward, we’re releasing a series of ships powered by an underlying, all-new, flexible and powerful alert rules engine!
If you’ve had a chance to try out the beta feature, we'd love to hear your feedback on 1) what's working for you, 2) what needs to change, and 3) what you'd like us to tackle next!
What are auto-triage rules?
Auto-triage rules help you responsibly reduce the amount of alerts needing immediate assessment, without compromising on any potentially concerning alerts. GitHub curates suggested rulesets for everyone, which have caught millions of false positive alerts since the May 2 release. For those that need more control, custom rules are available to help you scale your security strategy based on your risk tolerance and unique contextual needs.
📖 Helpful information:
Beta Was this translation helpful? Give feedback.
All reactions