Skip to content

Latest commit

 

History

History
66 lines (44 loc) · 5.07 KB

about-dependabot-auto-triage-rules.md

File metadata and controls

66 lines (44 loc) · 5.07 KB
title intro product versions type topics shortTitle redirect_from
About Dependabot auto-triage rules
{% data variables.dependabot.auto_triage_rules %} are a powerful tool to help you better manage your security alerts at scale. {% data variables.dependabot.github_presets %} are rules curated by {% data variables.product.company_short %} that you can use to filter out a substantial amount of false positives. {% data variables.dependabot.custom_rules_caps %} provide control over which alerts are ignored, snoozed, or trigger a {% data variables.product.prodname_dependabot %} security update to resolve the alert.
{% data reusables.gated-features.dependabot-auto-triage-rules %}
feature
dependabot-auto-triage-rules
overview
Dependabot
Alerts
Vulnerabilities
Repositories
Dependencies
About auto-triage rules
/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts
/code-security/dependabot/dependabot-alert-rules/about-dependabot-alert-rules

About {% data variables.dependabot.auto_triage_rules %}

{% data variables.dependabot.auto_triage_rules %} allow you to instruct {% data variables.product.prodname_dependabot %} to automatically triage {% data variables.product.prodname_dependabot_alerts %}. You can use {% data variables.dependabot.auto_triage_rules_short %} to automatically dismiss or snooze certain alerts, or specify the alerts you want {% data variables.product.prodname_dependabot %} to open pull requests for.

There are two types of {% data variables.dependabot.auto_triage_rules %}:

  • {% data variables.dependabot.github_presets %}
  • {% data variables.dependabot.custom_rules_caps %}

About {% data variables.dependabot.github_presets %}

{% note %}

{% data reusables.dependabot.dependabot-github-preset-auto-triage-rules %}

{% endnote %}

{% data variables.dependabot.github_presets %} are rules curated by {% data variables.product.company_short %}. {% data reusables.dependabot.dismiss-low-impact-rule %}

The rule is enabled by default for public repositories and can be opted into for private repositories. You can enable the rule for a private repository via the Settings tab for the repository. For more information, see "Enabling the Dismiss low impact issues for development-scoped dependencies rule for your private repository."

About {% data variables.dependabot.custom_rules %}

{% note %}

{% data reusables.gated-features.dependabot-custom-auto-triage-rules %}

{% endnote %}

With {% data variables.dependabot.custom_rules %}, you can create your own rules to automatically dismiss or reopen alerts based on targeted metadata, such as severity, package name, CWE, and more. You can also specify which alerts you want {% data variables.product.prodname_dependabot %} to open pull requests for. For more information, see "AUTOTITLE."

You can create custom rules from the Settings tab of the repository{% ifversion ghec or ghes %}, provided the repository belongs to an organization that has a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}. For more information, see "Adding custom auto-triage rules to your repository."

About auto-dismissing alerts

Whilst you may find it useful to use auto-triage rules to auto-dismiss alerts, you can still reopen auto-dismissed alerts and filter to see which alerts have been auto-dismissed. For more information, see "AUTOTITLE."

Additionally, auto-dismissed alerts are still available for reporting and reviewing, and can be auto-reopened if the alert metadata changes, for example:

  • If you change the scope of a dependency from development to production.
  • If {% data variables.product.company_short %} modifies certain metadata for the related advisory.

Auto-dismissed alerts are defined by the resolution:auto-dismiss close reason. Automatic dismissal activity is included in alert webhooks, REST and GraphQL APIs, and the audit log. For more information, see "AUTOTITLE," and the "repository_vulnerability_alert" section in "AUTOTITLE."

Further reading