Customizing alert rules to prioritize Dependabot alerts

Dans cet article

You can create your own alert rules to auto-triage alerts.

Qui peut utiliser cette fonctionnalité

People with write permissions can view Dependabot alert rules for the repository. People with with admin permissions to a repository, or the security manager role for the repository, can enable or disable Dependabot alert rules for the repository, as well as create custom alert rules

Custom alert rules for Dependabot alerts are available on any public repositories (for free), and on any private repositories, when you have a license for GitHub Advanced Security.

Note: Dependabot alert rules are currently in beta and are subject to change.

About custom alert rules

You can create your own Dependabot alert rules based on alert criteria. You can choose to auto-dismiss alerts indefinitely, or snooze alerts until a patch becomes available. Since any rules that you create apply to both future and current alerts, you can also use alert rules to manage your Dependabot alerts in bulk.

You can create rules using the following criteria:

Dependency scope (devDependency or runtime)
Package name
CWE
Severity
Patch availability
Manifest path
Ecosystem

Adding a custom rule to your repository

You can add a custom rule to your public and private repositories.

Dans GitHub.com, accédez à la page principale du dépôt.
Sous le nom de votre dépôt, cliquez sur Paramètres. Si vous ne voyez pas l’onglet « Paramètres », sélectionnez le menu déroulant , puis cliquez sur Paramètres.
Dans la section « Sécurité » de la barre latérale, cliquez sur Sécurité et analyse du code.
Under "Dependabot alerts", click close to "Dependabot rules".
Click New ruleset.
Under "Name", describe what this rule will do.
Under "Alert criteria", select the criteria you want to use to filter alerts.
Under "Rules", select the action you want to take on alerts that match the criteria.
Click Create rule.