Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to GET the list of dependabot alerts via GitHub API?

How can I GET the list of dependabot alerts available at https://github.com/{user}/{repo}/security/dependabot?page=1&q=is%3Aopen via the GitHub API?

enter image description here

I searched through the documentation but couldn't find anything there.

Thanks!

like image 791
大朱雀 Avatar asked Feb 24 '21 17:02

大朱雀


People also ask

What is GitHub Dependabot?

Dependabot checks for outdated dependencies as soon as it's enabled. You may see new pull requests for version updates within minutes of adding the configuration file, depending on the number of manifest files for which you configure updates.

How do I remove Dependabot alert?

Open you repo and go to Settings. Click on Code security and analysis in the Security subsection. There you will find dependabot settings with a Disable button for turning off the automated advisories.


1 Answers

There is this RepositoryVulnerabilityAlert object available with the Graphql API.

For example for a specific repository, you can get all the alerts with the following query (check this out in the explorer) :

{
    repository(name: "repo-name", owner: "repo-owner") {
        vulnerabilityAlerts(first: 100) {
            nodes {
                createdAt
                dismissedAt
                securityVulnerability {
                    package {
                        name
                    }
                    advisory {
                        description
                    }
                }
            }
        }
    }
}

It also returns alerts that were dismissed which can be spotted using the dismissedAt field. But there doesn't seem to be a way to filter only "active" alerts

Sample output:

{
  "data": {
    "repository": {
      "vulnerabilityAlerts": {
        "nodes": [
          {
            "createdAt": "2018-03-05T19:13:26Z",
            "dismissedAt": null,
            "securityVulnerability": {
              "package": {
                "name": "moment"
              },
              "advisory": {
                "description": "Affected versions of `moment` are vulnerable to a low severity regular expression denial of service when parsing dates as strings.\n\n\n## Recommendation\n\nUpdate to version 2.19.3 or later."
              }
            }
          },
          ....
        ]
      }
    }
  }
}
like image 101
Bertrand Martel Avatar answered Oct 15 '22 03:10

Bertrand Martel