GitHub sends Dependabot alerts when it detects that your repository makes use of a susceptible dependency or malware.
For extra data, see About Dependabot alerts if you do not know about Dependabot but.
GitHub introduced that Dependabot alerts REST API is now out there in public beta.
Endpoints
You will need to use an entry token with the security_events
scope to make use of endpoints with personal repositories. It’s also possible to use tokens with the public_repo
scope for public repositories solely.
Listing Dependabot alerts for a repository
GitHub Apps will need to have Dependabot alerts learn permission to make use of this endpoint.
curl
-H "Settle for: utility/vnd.github+json"
-H "Authorization: Bearer <YOUR-TOKEN>"
https://api.github.com/repos/OWNER/REPO/dependabot/alerts
Get a Dependabot alert
GitHub Apps will need to have Dependabot alerts learn permission to make use of this endpoint.
curl
-H "Settle for: utility/vnd.github+json"
-H "Authorization: Bearer <YOUR-TOKEN>"
https://api.github.com/repos/OWNER/REPO/dependabot/alerts/ALERT_NUMBER
Replace a Dependabot alert
GitHub Apps will need to have Dependabot alerts write permission to make use of this endpoint.
curl
-X PATCH
-H "Settle for: utility/vnd.github+json"
-H "Authorization: Bearer <YOUR-TOKEN>"
https://api.github.com/repos/OWNER/REPO/dependabot/alerts/ALERT_NUMBER
-d '{"state":"dismissed","dismissed_reason":"tolerable_risk","dismissed_comment":"This alert is correct however we use a sanitizer."}'