🚨 Dependabot alerts REST API is now available in public beta

[erinhav]

You can now programmatically view and act on Dependabot alerts via the REST API. New endpoints to view, list, and update Dependabot alerts are available in a public beta. This release covers alerts in a repository-scoped list. We're working on some follow-up ships, including organization and enterprise-level lists.

How are you using the Dependabot alerts API? What feedback do you have for us? Please let us know -- we ❤️ your feedback!

[tjcorr]

One thing that would be nice is if the REST API include the id of each alert to provide consistency with graphql (the id under the node object) and the node_id of the webhook event repository_vulnerability_alert. Right now the only shared identifier is the number field.

[SalimBensiali]

Is being able to update other fields on dependabot alerts in scope in the future? Currently one is only able to dismiss or reopen a dependabot alert.
I would love to be able t programmatically trigger a dependabot pull request creation similar to what is being done on the Github UI.
Also I would love to be to be able to set in additional metadata on a dependabot alert.

[erinhav]

👋 what kind of fields/metadata would you want to update?

[SalimBensiali]

To begin with, being able to update the scope would suffice in my current use case.

[t4nguy3n]

@erinhav Could you help review this question? https://github.com/orgs/community/discussions/61417 Thank you

[wildan3105]

Hi @erinhav, is there any roadmap to add API to get the statistics of dependabot alerts on top of the current APIs? Essentially, I want to get a formatted data via API that can be displayed like this page: https://github.com/orgs/:org_name/security/risk (how many open and closed security issues, etc.)

Appreciate any response to this 🙇

[kellyarwine]

Hey @wildan3105,

I appreciate your message! We're on the brink of launching a security overview dashboard that'll shed more light on your Dependabot alerts, alongside code scanning and secret scanning alerts. After gathering feedback and refining, we're planning to release an API to back the dashboard. This will allow you to fetch summary counts without downloading each alert individually.

Look out for the dashboard release at Universe, and anticipate the API roll-out in the first quarter of 2024.

If you'd like to see a preview of the dashboard, I'd love to show it to you. Book a session for an exclusive walkthrough of the security overview dashboard and as a thank you, I'll ensure you're among the first to access it during its private beta launch. NOTE: I will circle back and delete this last paragraph in 7 days to avoid spam.

[coopernetes]

Hi all, just a quick note. GET /enterprises/{enterprise}/dependabot/alerts returns an empty array. I have the correct permissions (org owner on multiple orgs in an Enterprise instance) and still cannot view alerts according to the docs. Thanks!

https://docs.github.com/en/enterprise-cloud@latest/rest/dependabot/alerts?apiVersion=2022-11-28#list-dependabot-alerts-for-an-enterprise

[dustincox-rouse]

Hi @erinhav, We could really use the re-opened the re-opened date on the GHAS side. For example on the UI we have "dependabot reopened this ... last week. Otherwise it's throwing off our vulnerability management since the original time it saw it was years ago. Is there any way we can add in the last reopened date? Thank you

[carogalvin]

@dustincox-rouse thanks for that feedback! We're not actively working in this area right now, but I've logged your request for the future!

[lux-capacitor]

Would also like this made available, seeing a dependabot alert saying "500 days old" because it resurfaced a week ago is pretty frustrating. If this is expected to be of any use to enterprise I need to know when an item came back up, not when it first ever appeared anywhere.

[Lewa4444]

@tjcorr

[mattsalves]

The release of the Dependabot alerts REST API marks a significant step towards enhancing the security and stability of our development ecosystems. This programmatic integration not only streamlines dependency management but also fosters a culture of automation and accountability, empowering teams to proactively respond to vulnerabilities and keep their projects up-to-date and resilient.