Anzeigen von Metriken für Dependabot-Warnungen

Du kannst die Sicherheitsübersicht verwenden, um zu ermitteln, wie viele Dependabot alerts für Repositorys in deiner Organisation vorliegen, um die wichtigsten Warnungen zu ermitteln und um Repositorys zu identifizieren, für die du möglicherweise Maßnahmen ergreifen musst.

Wer kann dieses Feature verwenden?

Zugriff erfordert:

Organisationen im Besitz eines GitHub Team-Kontos mit GitHub Code Security oder im Besitz eines GitHub Enterprise-Kontos mit GitHub Code Security

In diesem Artikel

You can view metrics for Dependabot alerts to track and prioritize vulnerabilities across your organization. For more information about the available metrics and how to use them, see About metrics for Dependabot alerts.

This article explains how to access and view these metrics for your organization.

Viewing metrics for Dependabot for an organization

  1. On GitHub, navigate to the main page of the organization.

  2. Under your organization name, click Security.

    Screenshot of the horizontal navigation bar for an organization. A tab, labeled with a shield icon and "Security," is outlined in dark orange.

  3. In the sidebar, under "Metrics", click Dependabot dashboard.

  4. Optionally, use the filters at your disposal, or build your own filters. See Dependabot dashboard view filters.

  5. Optionally, click on a number on the x-axis of the chart to filter the alert list by the relevant criteria (for example has:patch severity:critical,high epss_percentage:>=0.01).

  6. Optionally, click on an individual repository to see the associated Dependabot alerts.

Configuring funnel categories

The default funnel order is has:patch, severity:critical,high, epss_percentage>=0.01. By tailoring the funnel’s order, you and your teams can focus on the vulnerabilities that matter most to your organization, environments, or regulatory obligations, making remediation efforts more effective and aligned with your specific needs.

  1. On GitHub, navigate to the main page of the organization.

  2. Under your organization name, click Security.

    Screenshot of the horizontal navigation bar for an organization. A tab, labeled with a shield icon and "Security," is outlined in dark orange.

  3. In the sidebar, under "Metrics", click Dependabot dashboard.

  4. On the top right of the "Alert prioritization" graph, click .

  5. In the "Configure funnel order" dialog, move the criteria as desired.

  6. Once you're done, click Move to save your changes.

Tipp

You can reset the funnel order back to the default settings by clicking Reset to default to the right of the graph.

Using metrics effectively

Use Dependabot metrics to:

  • Prioritize remediation: Focus on critical and high-severity alerts that are easily exploitable. Developers can use severity and patch availability filters to identify vulnerabilities they can fix immediately, reducing noise and focusing attention on actionable issues.
  • Monitor progress: Track how quickly your organization resolves security vulnerabilities and measure the effectiveness of vulnerability management efforts.
  • Make data-driven decisions: Allocate resources based on actual risk and usage patterns. The repository-level breakdown helps you understand which projects are most at risk and where to focus remediation efforts.
  • Identify trends: Understand whether your security posture is improving over time and ensure compliance with organizational or regulatory timelines.
  • Understand risk profiles: Developers can use these metrics to understand the risk profile of their dependencies, enabling informed prioritization of work.