About Dependabot auto-triage rules

Control how Dependabot handles security alerts, including filtering, ignoring, snoozing, or triggering security updates.

Who can use this feature?

GitHub presets are available for all repository types.

Custom auto-triage rules are available for the following repository types:

In this article

About Dependabot auto-triage rules

Dependabot auto-triage rules allow you to instruct Dependabot to automatically triage Dependabot alerts. You can use auto-triage rules to automatically dismiss or snooze certain alerts, or specify the alerts you want Dependabot to open pull requests for. Rules are applied before alert notifications are sent, so enabling rules that auto-dismiss low-risk alerts will prevent notification noise from future matching alerts.

There are two types of Dependabot auto-triage rules:

  • GitHub presets
  • Custom auto-triage rules

About GitHub presets

Note

GitHub presets for Dependabot alerts are rules that are available for all repositories.

GitHub presets are rules curated by GitHub.

The Dismiss low impact issues for development-scoped dependencies rule is a GitHub preset that auto-dismisses certain types of vulnerabilities that are found in npm dependencies used in development. These alerts cover cases that feel like false alarms to most developers as the associated vulnerabilities:

  • Are unlikely to be exploitable in a developer (non-production or runtime) environment.
  • May relate to resource management, programming and logic, and information disclosure issues.
  • At worst, have limited effects like slow builds or long-running tests.
  • Are not indicative of issues in production.

The rule is enabled by default for public repositories and can be opted into for private repositories. For instructions, see Enabling the Dismiss low impact issues for development-scoped dependencies rule for your private repository.

For more information about the criteria used by the rule, see CWEs used by GitHub's preset Dependabot rules.

About custom auto-triage rules

Note

Custom auto-triage rules for Dependabot alerts are available for organization-owned repositories with GitHub Advanced Security enabled.

With custom auto-triage rules, you can create your own rules to automatically dismiss or reopen alerts based on targeted metadata, such as severity, package name, CWE, and more. You can also specify which alerts you want Dependabot to open pull requests for. For more information, see Customizing auto-triage rules to prioritize Dependabot alerts.

You can create custom rules from the Settings tab of the repository, provided the repository belongs to an organization that has a license for GitHub Advanced Security. For more information, see Adding custom auto-triage rules to your repository.

About auto-dismissing alerts

Whilst you may find it useful to use auto-triage rules to auto-dismiss alerts, you can still reopen auto-dismissed alerts and filter to see which alerts have been auto-dismissed. For more information, see Managing alerts that have been automatically dismissed by a Dependabot auto-triage rule.

Additionally, auto-dismissed alerts are still available for reporting and reviewing, and can be auto-reopened if the alert metadata changes, for example:

  • If you change the scope of a dependency from development to production.
  • If GitHub modifies certain metadata for the related advisory.

Auto-dismissed alerts are defined by the resolution:auto-dismiss close reason. Automatic dismissal activity is included in alert webhooks, REST and GraphQL APIs, and the audit log. For more information, see REST API endpoints for Dependabot alerts, and the "repository_vulnerability_alert" section in Reviewing the audit log for your organization.

Further reading