Skip to main content
 

 

Dependabot alerts

With the Dependabot alerts API, you can view and manage Dependabot alerts for a repository.

Note: The Dependabot alerts API is currently in public beta and subject to change.

About the Dependabot alerts API

The Dependabot alerts API lets you view Dependabot alerts for a repository and update individual alerts. For more information, see "About Dependabot alerts."

List Dependabot alerts for a repository

Works with GitHub Apps

You must use an access token with the security_events scope to use this endpoint with private repositories. You can also use tokens with the public_repo scope for public repositories only. GitHub Apps must have Dependabot alerts read permission to use this endpoint.

Parameters

Headers
acceptstring

Setting to application/vnd.github+json is recommended.

Path parameters
ownerstringRequired

The account owner of the repository. The name is not case sensitive.

repostringRequired

The name of the repository. The name is not case sensitive.

Query parameters
statestring

A comma-separated list of states. If specified, only alerts with these states will be returned.

Can be: dismissed, fixed, open

severitystring

A comma-separated list of severities. If specified, only alerts with these severities will be returned.

Can be: low, medium, high, critical

ecosystemstring

A comma-separated list of ecosystems. If specified, only alerts for these ecosystems will be returned.

Can be: composer, go, maven, npm, nuget, pip, rubygems, rust

packagestring

A comma-separated list of package names. If specified, only alerts for these packages will be returned.

manifeststring

A comma-separated list of full manifest paths. If specified, only alerts for these manifests will be returned.

scopestringnull

Scope of the dependency on a Dependabot alert.

Can be one of: development, runtime,

sortstring

The property by which to sort the results. created means when the alert was created. updated means when the alert's state last changed.

Default: created

Can be one of: created, updated

directionstring

The direction to sort the results by.

Default: desc

Can be one of: asc, desc

pageinteger

Page number of the results to fetch.

Default: 1

per_pageinteger

The number of results per page (max 100).

Default: 30

HTTP response status codes

Status codeDescription
200

OK

304

Not modified

403

Forbidden

404

Resource not found

422

Validation failed

Code samples

get/repos/{owner}/{repo}/dependabot/alerts
curl \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ https://api.github.com/repos/OWNER/REPO/dependabot/alerts

Response

Status: 200
[ { "number": 2, "state": "dismissed", "dependency": { "package": { "ecosystem": "pip", "name": "django" }, "manifest_path": "path/to/requirements.txt", "scope": "runtime" }, "security_advisory": { "ghsa_id": "GHSA-rf4j-j272-fj86", "cve_id": "CVE-2018-6188", "summary": "Django allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive", "description": "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.", "severity": "high", "identifiers": [ { "type": "GHSA", "value": "GHSA-rf4j-j272-fj86" }, { "type": "CVE", "value": "CVE-2018-6188" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188" }, { "url": "https://github.com/advisories/GHSA-rf4j-j272-fj86" }, { "url": "https://usn.ubuntu.com/3559-1/" }, { "url": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/" }, { "url": "http://www.securitytracker.com/id/1040422" } ], "published_at": "2018-10-03T21:13:54Z", "updated_at": "2022-04-26T18:35:37Z", "withdrawn_at": null, "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 1.11.8, < 1.11.10", "first_patched_version": { "identifier": "1.11.10" } } ], "cvss": { "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cwes": [ { "cwe_id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" } ] }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, "url": "https://api.github.com/repos/octocat/hello-world/dependabot/alerts/2", "html_url": "https://github.com/octocat/hello-world/security/dependabot/2", "created_at": "2022-06-15T07:43:03Z", "updated_at": "2022-08-23T14:29:47Z", "dismissed_at": "2022-08-23T14:29:47Z", "dismissed_by": { "login": "octocat", "id": 1, "node_id": "MDQ6VXNlcjE=", "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "User", "site_admin": false }, "dismissed_reason": "tolerable_risk", "dismissed_comment": "This alert is accurate but we use a sanitizer.", "fixed_at": null }, { "number": 1, "state": "open", "dependency": { "package": { "ecosystem": "pip", "name": "ansible" }, "manifest_path": "path/to/requirements.txt", "scope": "runtime" }, "security_advisory": { "ghsa_id": "GHSA-8f4m-hccc-8qph", "cve_id": "CVE-2021-20191", "summary": "Insertion of Sensitive Information into Log File in ansible", "description": "A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.", "severity": "medium", "identifiers": [ { "type": "GHSA", "value": "GHSA-8f4m-hccc-8qph" }, { "type": "CVE", "value": "CVE-2021-20191" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191" }, { "url": "https://access.redhat.com/security/cve/cve-2021-20191" }, { "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813" } ], "published_at": "2021-06-01T17:38:00Z", "updated_at": "2021-08-12T23:06:00Z", "withdrawn_at": null, "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": ">= 2.9.0, < 2.9.18", "first_patched_version": { "identifier": "2.9.18" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": ">= 2.10.0, < 2.10.7", "first_patched_version": { "identifier": "2.10.7" } } ], "cvss": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwes": [ { "cwe_id": "CWE-532", "name": "Insertion of Sensitive Information into Log File" } ] }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, "url": "https://api.github.com/repos/octocat/hello-world/dependabot/alerts/1", "html_url": "https://github.com/octocat/hello-world/security/dependabot/1", "created_at": "2022-06-14T15:21:52Z", "updated_at": "2022-06-14T15:21:52Z", "dismissed_at": null, "dismissed_by": null, "dismissed_reason": null, "dismissed_comment": null, "fixed_at": null } ]

Get a Dependabot alert

Works with GitHub Apps

You must use an access token with the security_events scope to use this endpoint with private repositories. You can also use tokens with the public_repo scope for public repositories only. GitHub Apps must have Dependabot alerts read permission to use this endpoint.

Parameters

Headers
acceptstring

Setting to application/vnd.github+json is recommended.

Path parameters
ownerstringRequired

The account owner of the repository. The name is not case sensitive.

repostringRequired

The name of the repository. The name is not case sensitive.

alert_numberintegerRequired

The number that identifies a Dependabot alert in its repository. You can find this at the end of the URL for a Dependabot alert within GitHub, or in number fields in the response from the GET /repos/{owner}/{repo}/dependabot/alerts operation.

HTTP response status codes

Status codeDescription
200

OK

304

Not modified

403

Forbidden

404

Resource not found

Code samples

get/repos/{owner}/{repo}/dependabot/alerts/{alert_number}
curl \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ https://api.github.com/repos/OWNER/REPO/dependabot/alerts/ALERT_NUMBER

Response

Status: 200
{ "number": 1, "state": "open", "dependency": { "package": { "ecosystem": "pip", "name": "ansible" }, "manifest_path": "path/to/requirements.txt", "scope": "runtime" }, "security_advisory": { "ghsa_id": "GHSA-8f4m-hccc-8qph", "cve_id": "CVE-2021-20191", "summary": "Insertion of Sensitive Information into Log File in ansible", "description": "A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.", "severity": "medium", "identifiers": [ { "type": "GHSA", "value": "GHSA-8f4m-hccc-8qph" }, { "type": "CVE", "value": "CVE-2021-20191" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191" }, { "url": "https://access.redhat.com/security/cve/cve-2021-20191" }, { "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813" } ], "published_at": "2021-06-01T17:38:00Z", "updated_at": "2021-08-12T23:06:00Z", "withdrawn_at": null, "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": ">= 2.9.0, < 2.9.18", "first_patched_version": { "identifier": "2.9.18" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": ">= 2.10.0, < 2.10.7", "first_patched_version": { "identifier": "2.10.7" } } ], "cvss": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwes": [ { "cwe_id": "CWE-532", "name": "Insertion of Sensitive Information into Log File" } ] }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, "url": "https://api.github.com/repos/octocat/hello-world/dependabot/alerts/1", "html_url": "https://github.com/octocat/hello-world/security/dependabot/1", "created_at": "2022-06-14T15:21:52Z", "updated_at": "2022-06-14T15:21:52Z", "dismissed_at": null, "dismissed_by": null, "dismissed_reason": null, "dismissed_comment": null, "fixed_at": null }

Update a Dependabot alert

Works with GitHub Apps

You must use an access token with the security_events scope to use this endpoint with private repositories. You can also use tokens with the public_repo scope for public repositories only. GitHub Apps must have Dependabot alerts write permission to use this endpoint.

Parameters

Headers
acceptstring

Setting to application/vnd.github+json is recommended.

Path parameters
ownerstringRequired

The account owner of the repository. The name is not case sensitive.

repostringRequired

The name of the repository. The name is not case sensitive.

alert_numberintegerRequired

The number that identifies a Dependabot alert in its repository. You can find this at the end of the URL for a Dependabot alert within GitHub, or in number fields in the response from the GET /repos/{owner}/{repo}/dependabot/alerts operation.

Body parameters
statestringRequired

Sets the status of the dependabot alert. You must provide dismissed_reason when you set the state to dismissed.

Can be one of: dismissed, open

dismissed_reasonstring or null

Required when the state is dismissed. The reason for dismissing the Dependabot alert.

Can be one of: fix_started, inaccurate, no_bandwidth, not_used, tolerable_risk,

dismissed_commentstring or null

An optional comment associated with the alert's dismissal. The maximum size is 280 characters.

HTTP response status codes

Status codeDescription
200

OK

304

Not modified

400

Bad Request

403

Forbidden

404

Resource not found

409

Conflict

422

Validation failed

Code samples

patch/repos/{owner}/{repo}/dependabot/alerts/{alert_number}
curl \ -X PATCH \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ https://api.github.com/repos/OWNER/REPO/dependabot/alerts/ALERT_NUMBER \ -d '{"state":"dismissed","dismissed_reason":"tolerable_risk","dismissed_comment":"This alert is accurate but we use a sanitizer."}'

Response

Status: 200
{ "number": 2, "state": "dismissed", "dependency": { "package": { "ecosystem": "pip", "name": "django" }, "manifest_path": "path/to/requirements.txt", "scope": "runtime" }, "security_advisory": { "ghsa_id": "GHSA-rf4j-j272-fj86", "cve_id": "CVE-2018-6188", "summary": "Django allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive", "description": "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.", "severity": "high", "identifiers": [ { "type": "GHSA", "value": "GHSA-rf4j-j272-fj86" }, { "type": "CVE", "value": "CVE-2018-6188" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188" }, { "url": "https://github.com/advisories/GHSA-rf4j-j272-fj86" }, { "url": "https://usn.ubuntu.com/3559-1/" }, { "url": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/" }, { "url": "http://www.securitytracker.com/id/1040422" } ], "published_at": "2018-10-03T21:13:54Z", "updated_at": "2022-04-26T18:35:37Z", "withdrawn_at": null, "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 1.11.8, < 1.11.10", "first_patched_version": { "identifier": "1.11.10" } } ], "cvss": { "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cwes": [ { "cwe_id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" } ] }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, "url": "https://api.github.com/repos/octocat/hello-world/dependabot/alerts/2", "html_url": "https://github.com/octocat/hello-world/security/dependabot/2", "created_at": "2022-06-15T07:43:03Z", "updated_at": "2022-08-23T14:29:47Z", "dismissed_at": "2022-08-23T14:29:47Z", "dismissed_by": { "login": "octocat", "id": 1, "node_id": "MDQ6VXNlcjE=", "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "User", "site_admin": false }, "dismissed_reason": "tolerable_risk", "dismissed_comment": "This alert is accurate but we use a sanitizer.", "fixed_at": null }