Customizing alert rules to prioritize Dependabot alerts

In diesem Artikel

You can create your own alert rules to auto-triage alerts.

Wer kann dieses Feature verwenden?

People with write permissions can view Dependabot alert rules for the repository. People with with admin permissions to a repository, or the security manager role for the repository, can enable or disable Dependabot alert rules for the repository, as well as create custom alert rules

Custom alert rules for Dependabot alerts are available on any public repositories (for free), and on any private repositories, when you have a license for GitHub Advanced Security.

Note: Dependabot alert rules are currently in beta and are subject to change.

About custom alert rules

You can create your own Dependabot alert rules based on alert criteria. You can choose to auto-dismiss alerts indefinitely, or snooze alerts until a patch becomes available. Since any rules that you create apply to both future and current alerts, you can also use alert rules to manage your Dependabot alerts in bulk.

You can create rules using the following criteria:

Dependency scope (devDependency or runtime)
Package name
CWE
Severity
Patch availability
Manifest path
Ecosystem

Adding a custom rule to your repository

You can add a custom rule to your public and private repositories.

Navigiere auf GitHub.com zur Hauptseite des Repositorys.
Wähle unter dem Namen deines Repositorys die Option Einstellungen aus. Wenn die Registerkarte „Einstellungen“ nicht angezeigt wird, wähle im Dropdownmenü die Option Einstellungen aus.
Klicke im Abschnitt „Sicherheit“ auf der Randleiste auf Codesicherheit und -analyse.
Under "Dependabot alerts", click close to "Dependabot rules".
Click New ruleset.
Under "Name", describe what this rule will do.
Under "Alert criteria", select the criteria you want to use to filter alerts.
Under "Rules", select the action you want to take on alerts that match the criteria.
Click Create rule.