O controle de versão da API REST já foi feito. Para obter mais informações, confira "Sobre o controle de versão da API".

Pontos de extremidade da API REST para o Dependabot alerts

Use a API REST para interagir com os alertas do Dependabot com relação a um repositório.

Observação

A capacidade de usar a API REST para gerenciar os alertas do Dependabot está em versão prévia pública e está sujeita a alterações.

Sobre Dependabot alerts

É possível exibir os alertas do Dependabot para um repositório e atualizar alertas individuais com a API REST. Para saber mais, confira Sobre alertas do Dependabot.

List Dependabot alerts for an enterprise

Lists Dependabot alerts for repositories that are owned by the specified enterprise.

The authenticated user must be a member of the enterprise to use this endpoint.

Alerts are only returned for organizations in the enterprise for which you are an organization owner or a security manager. For more information about security managers, see "Managing security managers in your organization."

OAuth app tokens and personal access tokens (classic) need the repo or security_events scope to use this endpoint.

Tokens de acesso refinados para "List Dependabot alerts for an enterprise"

Esse ponto de extremidade não funciona com tokens de acesso de usuário do aplicativo GitHub, tokens de acesso de instalação do aplicativo GitHub ou tokens de acesso pessoal refinados.

Parâmetros para "List Dependabot alerts for an enterprise"

Cabeçalhos
accept string

Setting to application/vnd.github+json is recommended.

Parâmetros de caminho
enterprise string Obrigatório

The slug version of the enterprise name.

Parâmetros de consulta
state string

A comma-separated list of states. If specified, only alerts with these states will be returned.

Can be: auto_dismissed, dismissed, fixed, open

severity string

A comma-separated list of severities. If specified, only alerts with these severities will be returned.

Can be: low, medium, high, critical

ecosystem string

A comma-separated list of ecosystems. If specified, only alerts for these ecosystems will be returned.

Can be: composer, go, maven, npm, nuget, pip, pub, rubygems, rust

package string

A comma-separated list of package names. If specified, only alerts for these packages will be returned.

epss_percentage string

CVE Exploit Prediction Scoring System (EPSS) percentage. Can be specified as:

  • An exact number (n)
  • Comparators such as >n, <n, >=n, <=n
  • A range like n..n, where n is a number from 0.0 to 1.0

Filters the list of alerts based on EPSS percentages. If specified, only alerts with the provided EPSS percentages will be returned.

has

Filters the list of alerts based on whether the alert has the given value. If specified, only alerts meeting this criterion will be returned. Multiple has filters can be passed to filter for alerts that have all of the values. Currently, only patch is supported.

scope string

The scope of the vulnerable dependency. If specified, only alerts with this scope will be returned.

Pode ser um dos: development, runtime

sort string

The property by which to sort the results. created means when the alert was created. updated means when the alert's state last changed. epss_percentage sorts alerts by the Exploit Prediction Scoring System (EPSS) percentage.

Padrão: created

Pode ser um dos: created, updated, epss_percentage

direction string

The direction to sort the results by.

Padrão: desc

Pode ser um dos: asc, desc

before string

A cursor, as given in the Link header. If specified, the query only searches for results before this cursor. For more information, see "Using pagination in the REST API."

after string

A cursor, as given in the Link header. If specified, the query only searches for results after this cursor. For more information, see "Using pagination in the REST API."

per_page integer

The number of results per page (max 100). For more information, see "Using pagination in the REST API."

Padrão: 30

Códigos de status de resposta HTTP para "List Dependabot alerts for an enterprise"

Código de statusDescrição
200

OK

304

Not modified

403

Forbidden

404

Resource not found

422

Validation failed, or the endpoint has been spammed.

Exemplos de código para "List Dependabot alerts for an enterprise"

Exemplo de solicitação

get/enterprises/{enterprise}/dependabot/alerts
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/enterprises/ENTERPRISE/dependabot/alerts

Response

Status: 200
[ { "number": 2, "state": "dismissed", "dependency": { "package": { "ecosystem": "pip", "name": "django" }, "manifest_path": "path/to/requirements.txt", "scope": "runtime" }, "security_advisory": { "ghsa_id": "GHSA-rf4j-j272-fj86", "cve_id": "CVE-2018-6188", "summary": "Django allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive", "description": "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.", "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 1.11.8, < 1.11.10", "first_patched_version": { "identifier": "1.11.10" } } ], "severity": "high", "cvss": { "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cvss_severities": { "cvss_v3": { "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cvss_v4": { "vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "score": 8.7 } }, "epss": [ { "percentage": 0.00045, "percentile": "0.16001e0" } ], "cwes": [ { "cwe_id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" } ], "identifiers": [ { "type": "GHSA", "value": "GHSA-rf4j-j272-fj86" }, { "type": "CVE", "value": "CVE-2018-6188" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188" }, { "url": "https://github.com/advisories/GHSA-rf4j-j272-fj86" }, { "url": "https://usn.ubuntu.com/3559-1/" }, { "url": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/" }, { "url": "http://www.securitytracker.com/id/1040422" } ], "published_at": "2018-10-03T21:13:54Z", "updated_at": "2022-04-26T18:35:37Z", "withdrawn_at": null }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, "url": "https://api.github.com/repos/octo-org/octo-repo/dependabot/alerts/2", "html_url": "https://github.com/octo-org/octo-repo/security/dependabot/2", "created_at": "2022-06-15T07:43:03Z", "updated_at": "2022-08-23T14:29:47Z", "dismissed_at": "2022-08-23T14:29:47Z", "dismissed_by": { "login": "octocat", "id": 1, "node_id": "MDQ6VXNlcjE=", "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "User", "site_admin": false }, "dismissed_reason": "tolerable_risk", "dismissed_comment": "This alert is accurate but we use a sanitizer.", "fixed_at": null, "repository": { "id": 217723378, "node_id": "MDEwOlJlcG9zaXRvcnkyMTc3MjMzNzg=", "name": "octo-repo", "full_name": "octo-org/octo-repo", "owner": { "login": "octo-org", "id": 6811672, "node_id": "MDEyOk9yZ2FuaXphdGlvbjY4MTE2NzI=", "avatar_url": "https://avatars3.githubusercontent.com/u/6811672?v=4", "gravatar_id": "", "url": "https://api.github.com/users/octo-org", "html_url": "https://github.com/octo-org", "followers_url": "https://api.github.com/users/octo-org/followers", "following_url": "https://api.github.com/users/octo-org/following{/other_user}", "gists_url": "https://api.github.com/users/octo-org/gists{/gist_id}", "starred_url": "https://api.github.com/users/octo-org/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octo-org/subscriptions", "organizations_url": "https://api.github.com/users/octo-org/orgs", "repos_url": "https://api.github.com/users/octo-org/repos", "events_url": "https://api.github.com/users/octo-org/events{/privacy}", "received_events_url": "https://api.github.com/users/octo-org/received_events", "type": "Organization", "site_admin": false }, "private": true, "html_url": "https://github.com/octo-org/octo-repo", "description": null, "fork": false, "url": "https://api.github.com/repos/octo-org/octo-repo", "archive_url": "https://api.github.com/repos/octo-org/octo-repo/{archive_format}{/ref}", "assignees_url": "https://api.github.com/repos/octo-org/octo-repo/assignees{/user}", "blobs_url": "https://api.github.com/repos/octo-org/octo-repo/git/blobs{/sha}", "branches_url": "https://api.github.com/repos/octo-org/octo-repo/branches{/branch}", "collaborators_url": "https://api.github.com/repos/octo-org/octo-repo/collaborators{/collaborator}", "comments_url": "https://api.github.com/repos/octo-org/octo-repo/comments{/number}", "commits_url": "https://api.github.com/repos/octo-org/octo-repo/commits{/sha}", "compare_url": "https://api.github.com/repos/octo-org/octo-repo/compare/{base}...{head}", "contents_url": "https://api.github.com/repos/octo-org/octo-repo/contents/{+path}", "contributors_url": "https://api.github.com/repos/octo-org/octo-repo/contributors", "deployments_url": "https://api.github.com/repos/octo-org/octo-repo/deployments", "downloads_url": "https://api.github.com/repos/octo-org/octo-repo/downloads", "events_url": "https://api.github.com/repos/octo-org/octo-repo/events", "forks_url": "https://api.github.com/repos/octo-org/octo-repo/forks", "git_commits_url": "https://api.github.com/repos/octo-org/octo-repo/git/commits{/sha}", "git_refs_url": "https://api.github.com/repos/octo-org/octo-repo/git/refs{/sha}", "git_tags_url": "https://api.github.com/repos/octo-org/octo-repo/git/tags{/sha}", "hooks_url": "https://api.github.com/repos/octo-org/octo-repo/hooks", "issue_comment_url": "https://api.github.com/repos/octo-org/octo-repo/issues/comments{/number}", "issue_events_url": "https://api.github.com/repos/octo-org/octo-repo/issues/events{/number}", "issues_url": "https://api.github.com/repos/octo-org/octo-repo/issues{/number}", "keys_url": "https://api.github.com/repos/octo-org/octo-repo/keys{/key_id}", "labels_url": "https://api.github.com/repos/octo-org/octo-repo/labels{/name}", "languages_url": "https://api.github.com/repos/octo-org/octo-repo/languages", "merges_url": "https://api.github.com/repos/octo-org/octo-repo/merges", "milestones_url": "https://api.github.com/repos/octo-org/octo-repo/milestones{/number}", "notifications_url": "https://api.github.com/repos/octo-org/octo-repo/notifications{?since,all,participating}", "pulls_url": "https://api.github.com/repos/octo-org/octo-repo/pulls{/number}", "releases_url": "https://api.github.com/repos/octo-org/octo-repo/releases{/id}", "stargazers_url": "https://api.github.com/repos/octo-org/octo-repo/stargazers", "statuses_url": "https://api.github.com/repos/octo-org/octo-repo/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/octo-org/octo-repo/subscribers", "subscription_url": "https://api.github.com/repos/octo-org/octo-repo/subscription", "tags_url": "https://api.github.com/repos/octo-org/octo-repo/tags", "teams_url": "https://api.github.com/repos/octo-org/octo-repo/teams", "trees_url": "https://api.github.com/repos/octo-org/octo-repo/git/trees{/sha}" } }, { "number": 1, "state": "open", "dependency": { "package": { "ecosystem": "pip", "name": "ansible" }, "manifest_path": "path/to/requirements.txt", "scope": "runtime" }, "security_advisory": { "ghsa_id": "GHSA-8f4m-hccc-8qph", "cve_id": "CVE-2021-20191", "summary": "Insertion of Sensitive Information into Log File in ansible", "description": "A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.", "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": ">= 2.9.0, < 2.9.18", "first_patched_version": { "identifier": "2.9.18" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": ">= 2.10.0, < 2.10.7", "first_patched_version": { "identifier": "2.10.7" } } ], "severity": "medium", "cvss": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cvss_severities": { "cvss_v3": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cvss_v4": { "vector_string": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "score": 8.5 } }, "cwes": [ { "cwe_id": "CWE-532", "name": "Insertion of Sensitive Information into Log File" } ], "identifiers": [ { "type": "GHSA", "value": "GHSA-8f4m-hccc-8qph" }, { "type": "CVE", "value": "CVE-2021-20191" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191" }, { "url": "https://access.redhat.com/security/cve/cve-2021-20191" }, { "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813" } ], "published_at": "2021-06-01T17:38:00Z", "updated_at": "2021-08-12T23:06:00Z", "withdrawn_at": null }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, "url": "https://api.github.com/repos/octo-org/hello-world/dependabot/alerts/1", "html_url": "https://github.com/octo-org/hello-world/security/dependabot/1", "created_at": "2022-06-14T15:21:52Z", "updated_at": "2022-06-14T15:21:52Z", "dismissed_at": null, "dismissed_by": null, "dismissed_reason": null, "dismissed_comment": null, "fixed_at": null, "repository": { "id": 664700648, "node_id": "MDEwOlJlcG9zaXRvcnk2NjQ3MDA2NDg=", "name": "hello-world", "full_name": "octo-org/hello-world", "owner": { "login": "octo-org", "id": 6811672, "node_id": "MDEyOk9yZ2FuaXphdGlvbjY4MTE2NzI=", "avatar_url": "https://avatars3.githubusercontent.com/u/6811672?v=4", "gravatar_id": "", "url": "https://api.github.com/users/octo-org", "html_url": "https://github.com/octo-org", "followers_url": "https://api.github.com/users/octo-org/followers", "following_url": "https://api.github.com/users/octo-org/following{/other_user}", "gists_url": "https://api.github.com/users/octo-org/gists{/gist_id}", "starred_url": "https://api.github.com/users/octo-org/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octo-org/subscriptions", "organizations_url": "https://api.github.com/users/octo-org/orgs", "repos_url": "https://api.github.com/users/octo-org/repos", "events_url": "https://api.github.com/users/octo-org/events{/privacy}", "received_events_url": "https://api.github.com/users/octo-org/received_events", "type": "Organization", "site_admin": false }, "private": true, "html_url": "https://github.com/octo-org/hello-world", "description": null, "fork": false, "url": "https://api.github.com/repos/octo-org/hello-world", "archive_url": "https://api.github.com/repos/octo-org/hello-world/{archive_format}{/ref}", "assignees_url": "https://api.github.com/repos/octo-org/hello-world/assignees{/user}", "blobs_url": "https://api.github.com/repos/octo-org/hello-world/git/blobs{/sha}", "branches_url": "https://api.github.com/repos/octo-org/hello-world/branches{/branch}", "collaborators_url": "https://api.github.com/repos/octo-org/hello-world/collaborators{/collaborator}", "comments_url": "https://api.github.com/repos/octo-org/hello-world/comments{/number}", "commits_url": "https://api.github.com/repos/octo-org/hello-world/commits{/sha}", "compare_url": "https://api.github.com/repos/octo-org/hello-world/compare/{base}...{head}", "contents_url": "https://api.github.com/repos/octo-org/hello-world/contents/{+path}", "contributors_url": "https://api.github.com/repos/octo-org/hello-world/contributors", "deployments_url": "https://api.github.com/repos/octo-org/hello-world/deployments", "downloads_url": "https://api.github.com/repos/octo-org/hello-world/downloads", "events_url": "https://api.github.com/repos/octo-org/hello-world/events", "forks_url": "https://api.github.com/repos/octo-org/hello-world/forks", "git_commits_url": "https://api.github.com/repos/octo-org/hello-world/git/commits{/sha}", "git_refs_url": "https://api.github.com/repos/octo-org/hello-world/git/refs{/sha}", "git_tags_url": "https://api.github.com/repos/octo-org/hello-world/git/tags{/sha}", "hooks_url": "https://api.github.com/repos/octo-org/hello-world/hooks", "issue_comment_url": "https://api.github.com/repos/octo-org/hello-world/issues/comments{/number}", "issue_events_url": "https://api.github.com/repos/octo-org/hello-world/issues/events{/number}", "issues_url": "https://api.github.com/repos/octo-org/hello-world/issues{/number}", "keys_url": "https://api.github.com/repos/octo-org/hello-world/keys{/key_id}", "labels_url": "https://api.github.com/repos/octo-org/hello-world/labels{/name}", "languages_url": "https://api.github.com/repos/octo-org/hello-world/languages", "merges_url": "https://api.github.com/repos/octo-org/hello-world/merges", "milestones_url": "https://api.github.com/repos/octo-org/hello-world/milestones{/number}", "notifications_url": "https://api.github.com/repos/octo-org/hello-world/notifications{?since,all,participating}", "pulls_url": "https://api.github.com/repos/octo-org/hello-world/pulls{/number}", "releases_url": "https://api.github.com/repos/octo-org/hello-world/releases{/id}", "stargazers_url": "https://api.github.com/repos/octo-org/hello-world/stargazers", "statuses_url": "https://api.github.com/repos/octo-org/hello-world/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/octo-org/hello-world/subscribers", "subscription_url": "https://api.github.com/repos/octo-org/hello-world/subscription", "tags_url": "https://api.github.com/repos/octo-org/hello-world/tags", "teams_url": "https://api.github.com/repos/octo-org/hello-world/teams", "trees_url": "https://api.github.com/repos/octo-org/hello-world/git/trees{/sha}" } } ]

List Dependabot alerts for an organization

Lists Dependabot alerts for an organization.

The authenticated user must be an owner or security manager for the organization to use this endpoint.

OAuth app tokens and personal access tokens (classic) need the security_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo scope instead.

Tokens de acesso refinados para "List Dependabot alerts for an organization"

Esse ponto de extremidade funciona com os seguintes tipos de token refinados:

O token refinado deve ter os seguintes conjuntos de permissões:

  • "Dependabot alerts" repository permissions (read)

Parâmetros para "List Dependabot alerts for an organization"

Cabeçalhos
accept string

Setting to application/vnd.github+json is recommended.

Parâmetros de caminho
org string Obrigatório

The organization name. The name is not case sensitive.

Parâmetros de consulta
state string

A comma-separated list of states. If specified, only alerts with these states will be returned.

Can be: auto_dismissed, dismissed, fixed, open

severity string

A comma-separated list of severities. If specified, only alerts with these severities will be returned.

Can be: low, medium, high, critical

ecosystem string

A comma-separated list of ecosystems. If specified, only alerts for these ecosystems will be returned.

Can be: composer, go, maven, npm, nuget, pip, pub, rubygems, rust

package string

A comma-separated list of package names. If specified, only alerts for these packages will be returned.

epss_percentage string

CVE Exploit Prediction Scoring System (EPSS) percentage. Can be specified as:

  • An exact number (n)
  • Comparators such as >n, <n, >=n, <=n
  • A range like n..n, where n is a number from 0.0 to 1.0

Filters the list of alerts based on EPSS percentages. If specified, only alerts with the provided EPSS percentages will be returned.

artifact_registry_url string

A comma-separated list of artifact registry URLs. If specified, only alerts for repositories with storage records matching these URLs will be returned.

artifact_registry string

A comma-separated list of Artifact Registry name strings. If specified, only alerts for repositories with storage records matching these registries will be returned.

Can be: jfrog-artifactory

has

Filters the list of alerts based on whether the alert has the given value. If specified, only alerts meeting this criterion will be returned. Multiple has filters can be passed to filter for alerts that have all of the values.

runtime_risk string

A comma-separated list of runtime risk strings. If specified, only alerts for repositories with deployment records matching these risks will be returned.

Can be: critical-resource, internet-exposed, sensitive-data, lateral-movement

scope string

The scope of the vulnerable dependency. If specified, only alerts with this scope will be returned.

Pode ser um dos: development, runtime

sort string

The property by which to sort the results. created means when the alert was created. updated means when the alert's state last changed. epss_percentage sorts alerts by the Exploit Prediction Scoring System (EPSS) percentage.

Padrão: created

Pode ser um dos: created, updated, epss_percentage

direction string

The direction to sort the results by.

Padrão: desc

Pode ser um dos: asc, desc

before string

A cursor, as given in the Link header. If specified, the query only searches for results before this cursor. For more information, see "Using pagination in the REST API."

after string

A cursor, as given in the Link header. If specified, the query only searches for results after this cursor. For more information, see "Using pagination in the REST API."

per_page integer

The number of results per page (max 100). For more information, see "Using pagination in the REST API."

Padrão: 30

Códigos de status de resposta HTTP para "List Dependabot alerts for an organization"

Código de statusDescrição
200

OK

304

Not modified

400

Bad Request

403

Forbidden

404

Resource not found

422

Validation failed, or the endpoint has been spammed.

Exemplos de código para "List Dependabot alerts for an organization"

Exemplo de solicitação

get/orgs/{org}/dependabot/alerts
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/orgs/ORG/dependabot/alerts

Response

Status: 200
[ { "number": 2, "state": "dismissed", "dependency": { "package": { "ecosystem": "pip", "name": "django" }, "manifest_path": "path/to/requirements.txt", "scope": "runtime" }, "security_advisory": { "ghsa_id": "GHSA-rf4j-j272-fj86", "cve_id": "CVE-2018-6188", "summary": "Django allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive", "description": "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.", "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 1.11.8, < 1.11.10", "first_patched_version": { "identifier": "1.11.10" } } ], "severity": "high", "cvss": { "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cvss_severities": { "cvss_v3": { "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cvss_v4": { "vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "score": 8.7 } }, "epss": [ { "percentage": 0.00045, "percentile": "0.16001e0" } ], "cwes": [ { "cwe_id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" } ], "identifiers": [ { "type": "GHSA", "value": "GHSA-rf4j-j272-fj86" }, { "type": "CVE", "value": "CVE-2018-6188" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188" }, { "url": "https://github.com/advisories/GHSA-rf4j-j272-fj86" }, { "url": "https://usn.ubuntu.com/3559-1/" }, { "url": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/" }, { "url": "http://www.securitytracker.com/id/1040422" } ], "published_at": "2018-10-03T21:13:54Z", "updated_at": "2022-04-26T18:35:37Z", "withdrawn_at": null }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, "url": "https://api.github.com/repos/octo-org/octo-repo/dependabot/alerts/2", "html_url": "https://github.com/octo-org/octo-repo/security/dependabot/2", "created_at": "2022-06-15T07:43:03Z", "updated_at": "2022-08-23T14:29:47Z", "dismissed_at": "2022-08-23T14:29:47Z", "dismissed_by": { "login": "octocat", "id": 1, "node_id": "MDQ6VXNlcjE=", "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "User", "site_admin": false }, "dismissed_reason": "tolerable_risk", "dismissed_comment": "This alert is accurate but we use a sanitizer.", "fixed_at": null, "repository": { "id": 217723378, "node_id": "MDEwOlJlcG9zaXRvcnkyMTc3MjMzNzg=", "name": "octo-repo", "full_name": "octo-org/octo-repo", "owner": { "login": "octo-org", "id": 6811672, "node_id": "MDEyOk9yZ2FuaXphdGlvbjY4MTE2NzI=", "avatar_url": "https://avatars3.githubusercontent.com/u/6811672?v=4", "gravatar_id": "", "url": "https://api.github.com/users/octo-org", "html_url": "https://github.com/octo-org", "followers_url": "https://api.github.com/users/octo-org/followers", "following_url": "https://api.github.com/users/octo-org/following{/other_user}", "gists_url": "https://api.github.com/users/octo-org/gists{/gist_id}", "starred_url": "https://api.github.com/users/octo-org/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octo-org/subscriptions", "organizations_url": "https://api.github.com/users/octo-org/orgs", "repos_url": "https://api.github.com/users/octo-org/repos", "events_url": "https://api.github.com/users/octo-org/events{/privacy}", "received_events_url": "https://api.github.com/users/octo-org/received_events", "type": "Organization", "site_admin": false }, "private": true, "html_url": "https://github.com/octo-org/octo-repo", "description": null, "fork": false, "url": "https://api.github.com/repos/octo-org/octo-repo", "archive_url": "https://api.github.com/repos/octo-org/octo-repo/{archive_format}{/ref}", "assignees_url": "https://api.github.com/repos/octo-org/octo-repo/assignees{/user}", "blobs_url": "https://api.github.com/repos/octo-org/octo-repo/git/blobs{/sha}", "branches_url": "https://api.github.com/repos/octo-org/octo-repo/branches{/branch}", "collaborators_url": "https://api.github.com/repos/octo-org/octo-repo/collaborators{/collaborator}", "comments_url": "https://api.github.com/repos/octo-org/octo-repo/comments{/number}", "commits_url": "https://api.github.com/repos/octo-org/octo-repo/commits{/sha}", "compare_url": "https://api.github.com/repos/octo-org/octo-repo/compare/{base}...{head}", "contents_url": "https://api.github.com/repos/octo-org/octo-repo/contents/{+path}", "contributors_url": "https://api.github.com/repos/octo-org/octo-repo/contributors", "deployments_url": "https://api.github.com/repos/octo-org/octo-repo/deployments", "downloads_url": "https://api.github.com/repos/octo-org/octo-repo/downloads", "events_url": "https://api.github.com/repos/octo-org/octo-repo/events", "forks_url": "https://api.github.com/repos/octo-org/octo-repo/forks", "git_commits_url": "https://api.github.com/repos/octo-org/octo-repo/git/commits{/sha}", "git_refs_url": "https://api.github.com/repos/octo-org/octo-repo/git/refs{/sha}", "git_tags_url": "https://api.github.com/repos/octo-org/octo-repo/git/tags{/sha}", "hooks_url": "https://api.github.com/repos/octo-org/octo-repo/hooks", "issue_comment_url": "https://api.github.com/repos/octo-org/octo-repo/issues/comments{/number}", "issue_events_url": "https://api.github.com/repos/octo-org/octo-repo/issues/events{/number}", "issues_url": "https://api.github.com/repos/octo-org/octo-repo/issues{/number}", "keys_url": "https://api.github.com/repos/octo-org/octo-repo/keys{/key_id}", "labels_url": "https://api.github.com/repos/octo-org/octo-repo/labels{/name}", "languages_url": "https://api.github.com/repos/octo-org/octo-repo/languages", "merges_url": "https://api.github.com/repos/octo-org/octo-repo/merges", "milestones_url": "https://api.github.com/repos/octo-org/octo-repo/milestones{/number}", "notifications_url": "https://api.github.com/repos/octo-org/octo-repo/notifications{?since,all,participating}", "pulls_url": "https://api.github.com/repos/octo-org/octo-repo/pulls{/number}", "releases_url": "https://api.github.com/repos/octo-org/octo-repo/releases{/id}", "stargazers_url": "https://api.github.com/repos/octo-org/octo-repo/stargazers", "statuses_url": "https://api.github.com/repos/octo-org/octo-repo/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/octo-org/octo-repo/subscribers", "subscription_url": "https://api.github.com/repos/octo-org/octo-repo/subscription", "tags_url": "https://api.github.com/repos/octo-org/octo-repo/tags", "teams_url": "https://api.github.com/repos/octo-org/octo-repo/teams", "trees_url": "https://api.github.com/repos/octo-org/octo-repo/git/trees{/sha}" } }, { "number": 1, "state": "open", "dependency": { "package": { "ecosystem": "pip", "name": "ansible" }, "manifest_path": "path/to/requirements.txt", "scope": "runtime" }, "security_advisory": { "ghsa_id": "GHSA-8f4m-hccc-8qph", "cve_id": "CVE-2021-20191", "summary": "Insertion of Sensitive Information into Log File in ansible", "description": "A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.", "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": ">= 2.9.0, < 2.9.18", "first_patched_version": { "identifier": "2.9.18" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": ">= 2.10.0, < 2.10.7", "first_patched_version": { "identifier": "2.10.7" } } ], "severity": "medium", "cvss": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cvss_severities": { "cvss_v3": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cvss_v4": { "vector_string": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "score": 8.5 } }, "cwes": [ { "cwe_id": "CWE-532", "name": "Insertion of Sensitive Information into Log File" } ], "identifiers": [ { "type": "GHSA", "value": "GHSA-8f4m-hccc-8qph" }, { "type": "CVE", "value": "CVE-2021-20191" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191" }, { "url": "https://access.redhat.com/security/cve/cve-2021-20191" }, { "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813" } ], "published_at": "2021-06-01T17:38:00Z", "updated_at": "2021-08-12T23:06:00Z", "withdrawn_at": null }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, "url": "https://api.github.com/repos/octo-org/hello-world/dependabot/alerts/1", "html_url": "https://github.com/octo-org/hello-world/security/dependabot/1", "created_at": "2022-06-14T15:21:52Z", "updated_at": "2022-06-14T15:21:52Z", "dismissed_at": null, "dismissed_by": null, "dismissed_reason": null, "dismissed_comment": null, "fixed_at": null, "repository": { "id": 664700648, "node_id": "MDEwOlJlcG9zaXRvcnk2NjQ3MDA2NDg=", "name": "hello-world", "full_name": "octo-org/hello-world", "owner": { "login": "octo-org", "id": 6811672, "node_id": "MDEyOk9yZ2FuaXphdGlvbjY4MTE2NzI=", "avatar_url": "https://avatars3.githubusercontent.com/u/6811672?v=4", "gravatar_id": "", "url": "https://api.github.com/users/octo-org", "html_url": "https://github.com/octo-org", "followers_url": "https://api.github.com/users/octo-org/followers", "following_url": "https://api.github.com/users/octo-org/following{/other_user}", "gists_url": "https://api.github.com/users/octo-org/gists{/gist_id}", "starred_url": "https://api.github.com/users/octo-org/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octo-org/subscriptions", "organizations_url": "https://api.github.com/users/octo-org/orgs", "repos_url": "https://api.github.com/users/octo-org/repos", "events_url": "https://api.github.com/users/octo-org/events{/privacy}", "received_events_url": "https://api.github.com/users/octo-org/received_events", "type": "Organization", "site_admin": false }, "private": true, "html_url": "https://github.com/octo-org/hello-world", "description": null, "fork": false, "url": "https://api.github.com/repos/octo-org/hello-world", "archive_url": "https://api.github.com/repos/octo-org/hello-world/{archive_format}{/ref}", "assignees_url": "https://api.github.com/repos/octo-org/hello-world/assignees{/user}", "blobs_url": "https://api.github.com/repos/octo-org/hello-world/git/blobs{/sha}", "branches_url": "https://api.github.com/repos/octo-org/hello-world/branches{/branch}", "collaborators_url": "https://api.github.com/repos/octo-org/hello-world/collaborators{/collaborator}", "comments_url": "https://api.github.com/repos/octo-org/hello-world/comments{/number}", "commits_url": "https://api.github.com/repos/octo-org/hello-world/commits{/sha}", "compare_url": "https://api.github.com/repos/octo-org/hello-world/compare/{base}...{head}", "contents_url": "https://api.github.com/repos/octo-org/hello-world/contents/{+path}", "contributors_url": "https://api.github.com/repos/octo-org/hello-world/contributors", "deployments_url": "https://api.github.com/repos/octo-org/hello-world/deployments", "downloads_url": "https://api.github.com/repos/octo-org/hello-world/downloads", "events_url": "https://api.github.com/repos/octo-org/hello-world/events", "forks_url": "https://api.github.com/repos/octo-org/hello-world/forks", "git_commits_url": "https://api.github.com/repos/octo-org/hello-world/git/commits{/sha}", "git_refs_url": "https://api.github.com/repos/octo-org/hello-world/git/refs{/sha}", "git_tags_url": "https://api.github.com/repos/octo-org/hello-world/git/tags{/sha}", "hooks_url": "https://api.github.com/repos/octo-org/hello-world/hooks", "issue_comment_url": "https://api.github.com/repos/octo-org/hello-world/issues/comments{/number}", "issue_events_url": "https://api.github.com/repos/octo-org/hello-world/issues/events{/number}", "issues_url": "https://api.github.com/repos/octo-org/hello-world/issues{/number}", "keys_url": "https://api.github.com/repos/octo-org/hello-world/keys{/key_id}", "labels_url": "https://api.github.com/repos/octo-org/hello-world/labels{/name}", "languages_url": "https://api.github.com/repos/octo-org/hello-world/languages", "merges_url": "https://api.github.com/repos/octo-org/hello-world/merges", "milestones_url": "https://api.github.com/repos/octo-org/hello-world/milestones{/number}", "notifications_url": "https://api.github.com/repos/octo-org/hello-world/notifications{?since,all,participating}", "pulls_url": "https://api.github.com/repos/octo-org/hello-world/pulls{/number}", "releases_url": "https://api.github.com/repos/octo-org/hello-world/releases{/id}", "stargazers_url": "https://api.github.com/repos/octo-org/hello-world/stargazers", "statuses_url": "https://api.github.com/repos/octo-org/hello-world/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/octo-org/hello-world/subscribers", "subscription_url": "https://api.github.com/repos/octo-org/hello-world/subscription", "tags_url": "https://api.github.com/repos/octo-org/hello-world/tags", "teams_url": "https://api.github.com/repos/octo-org/hello-world/teams", "trees_url": "https://api.github.com/repos/octo-org/hello-world/git/trees{/sha}" } } ]

List Dependabot alerts for a repository

OAuth app tokens and personal access tokens (classic) need the security_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo scope instead.

Tokens de acesso refinados para "List Dependabot alerts for a repository"

Esse ponto de extremidade funciona com os seguintes tipos de token refinados:

O token refinado deve ter os seguintes conjuntos de permissões:

  • "Dependabot alerts" repository permissions (read)

Parâmetros para "List Dependabot alerts for a repository"

Cabeçalhos
accept string

Setting to application/vnd.github+json is recommended.

Parâmetros de caminho
owner string Obrigatório

The account owner of the repository. The name is not case sensitive.

repo string Obrigatório

The name of the repository without the .git extension. The name is not case sensitive.

Parâmetros de consulta
state string

A comma-separated list of states. If specified, only alerts with these states will be returned.

Can be: auto_dismissed, dismissed, fixed, open

severity string

A comma-separated list of severities. If specified, only alerts with these severities will be returned.

Can be: low, medium, high, critical

ecosystem string

A comma-separated list of ecosystems. If specified, only alerts for these ecosystems will be returned.

Can be: composer, go, maven, npm, nuget, pip, pub, rubygems, rust

package string

A comma-separated list of package names. If specified, only alerts for these packages will be returned.

manifest string

A comma-separated list of full manifest paths. If specified, only alerts for these manifests will be returned.

epss_percentage string

CVE Exploit Prediction Scoring System (EPSS) percentage. Can be specified as:

  • An exact number (n)
  • Comparators such as >n, <n, >=n, <=n
  • A range like n..n, where n is a number from 0.0 to 1.0

Filters the list of alerts based on EPSS percentages. If specified, only alerts with the provided EPSS percentages will be returned.

has

Filters the list of alerts based on whether the alert has the given value. If specified, only alerts meeting this criterion will be returned. Multiple has filters can be passed to filter for alerts that have all of the values. Currently, only patch is supported.

scope string

The scope of the vulnerable dependency. If specified, only alerts with this scope will be returned.

Pode ser um dos: development, runtime

sort string

The property by which to sort the results. created means when the alert was created. updated means when the alert's state last changed. epss_percentage sorts alerts by the Exploit Prediction Scoring System (EPSS) percentage.

Padrão: created

Pode ser um dos: created, updated, epss_percentage

direction string

The direction to sort the results by.

Padrão: desc

Pode ser um dos: asc, desc

per_page integer

The number of results per page (max 100). For more information, see "Using pagination in the REST API."

Padrão: 30

before string

A cursor, as given in the Link header. If specified, the query only searches for results before this cursor. For more information, see "Using pagination in the REST API."

after string

A cursor, as given in the Link header. If specified, the query only searches for results after this cursor. For more information, see "Using pagination in the REST API."

Códigos de status de resposta HTTP para "List Dependabot alerts for a repository"

Código de statusDescrição
200

OK

304

Not modified

400

Bad Request

403

Forbidden

404

Resource not found

422

Validation failed, or the endpoint has been spammed.

Exemplos de código para "List Dependabot alerts for a repository"

Exemplo de solicitação

get/repos/{owner}/{repo}/dependabot/alerts
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/OWNER/REPO/dependabot/alerts

Response

Status: 200
[ { "number": 2, "state": "dismissed", "dependency": { "package": { "ecosystem": "pip", "name": "django" }, "manifest_path": "path/to/requirements.txt", "scope": "runtime" }, "security_advisory": { "ghsa_id": "GHSA-rf4j-j272-fj86", "cve_id": "CVE-2018-6188", "summary": "Django allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive", "description": "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.", "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 1.11.8, < 1.11.10", "first_patched_version": { "identifier": "1.11.10" } } ], "severity": "high", "cvss": { "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cvss_severities": { "cvss_v3": { "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cvss_v4": { "vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "score": 8.7 } }, "epss": [ { "percentage": 0.00045, "percentile": "0.16001e0" } ], "cwes": [ { "cwe_id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" } ], "identifiers": [ { "type": "GHSA", "value": "GHSA-rf4j-j272-fj86" }, { "type": "CVE", "value": "CVE-2018-6188" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188" }, { "url": "https://github.com/advisories/GHSA-rf4j-j272-fj86" }, { "url": "https://usn.ubuntu.com/3559-1/" }, { "url": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/" }, { "url": "http://www.securitytracker.com/id/1040422" } ], "published_at": "2018-10-03T21:13:54Z", "updated_at": "2022-04-26T18:35:37Z", "withdrawn_at": null }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, "url": "https://api.github.com/repos/octocat/hello-world/dependabot/alerts/2", "html_url": "https://github.com/octocat/hello-world/security/dependabot/2", "created_at": "2022-06-15T07:43:03Z", "updated_at": "2022-08-23T14:29:47Z", "dismissed_at": "2022-08-23T14:29:47Z", "dismissed_by": { "login": "octocat", "id": 1, "node_id": "MDQ6VXNlcjE=", "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "User", "site_admin": false }, "dismissed_reason": "tolerable_risk", "dismissed_comment": "This alert is accurate but we use a sanitizer.", "fixed_at": null }, { "number": 1, "state": "open", "dependency": { "package": { "ecosystem": "pip", "name": "ansible" }, "manifest_path": "path/to/requirements.txt", "scope": "runtime" }, "security_advisory": { "ghsa_id": "GHSA-8f4m-hccc-8qph", "cve_id": "CVE-2021-20191", "summary": "Insertion of Sensitive Information into Log File in ansible", "description": "A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.", "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": ">= 2.9.0, < 2.9.18", "first_patched_version": { "identifier": "2.9.18" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": ">= 2.10.0, < 2.10.7", "first_patched_version": { "identifier": "2.10.7" } } ], "severity": "medium", "cvss": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cvss_severities": { "cvss_v3": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cvss_v4": { "vector_string": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "score": 8.5 } }, "cwes": [ { "cwe_id": "CWE-532", "name": "Insertion of Sensitive Information into Log File" } ], "identifiers": [ { "type": "GHSA", "value": "GHSA-8f4m-hccc-8qph" }, { "type": "CVE", "value": "CVE-2021-20191" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191" }, { "url": "https://access.redhat.com/security/cve/cve-2021-20191" }, { "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813" } ], "published_at": "2021-06-01T17:38:00Z", "updated_at": "2021-08-12T23:06:00Z", "withdrawn_at": null }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, "url": "https://api.github.com/repos/octocat/hello-world/dependabot/alerts/1", "html_url": "https://github.com/octocat/hello-world/security/dependabot/1", "created_at": "2022-06-14T15:21:52Z", "updated_at": "2022-06-14T15:21:52Z", "dismissed_at": null, "dismissed_by": null, "dismissed_reason": null, "dismissed_comment": null, "fixed_at": null } ]

Get a Dependabot alert

OAuth app tokens and personal access tokens (classic) need the security_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo scope instead.

Tokens de acesso refinados para "Get a Dependabot alert"

Esse ponto de extremidade funciona com os seguintes tipos de token refinados:

O token refinado deve ter os seguintes conjuntos de permissões:

  • "Dependabot alerts" repository permissions (read)

Parâmetros para "Get a Dependabot alert"

Cabeçalhos
accept string

Setting to application/vnd.github+json is recommended.

Parâmetros de caminho
owner string Obrigatório

The account owner of the repository. The name is not case sensitive.

repo string Obrigatório

The name of the repository without the .git extension. The name is not case sensitive.

alert_number integer Obrigatório

The number that identifies a Dependabot alert in its repository. You can find this at the end of the URL for a Dependabot alert within GitHub, or in number fields in the response from the GET /repos/{owner}/{repo}/dependabot/alerts operation.

Códigos de status de resposta HTTP para "Get a Dependabot alert"

Código de statusDescrição
200

OK

304

Not modified

403

Forbidden

404

Resource not found

Exemplos de código para "Get a Dependabot alert"

Exemplo de solicitação

get/repos/{owner}/{repo}/dependabot/alerts/{alert_number}
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/OWNER/REPO/dependabot/alerts/ALERT_NUMBER

Response

Status: 200
{ "number": 1, "state": "open", "dependency": { "package": { "ecosystem": "pip", "name": "ansible" }, "manifest_path": "path/to/requirements.txt", "scope": "runtime" }, "security_advisory": { "ghsa_id": "GHSA-8f4m-hccc-8qph", "cve_id": "CVE-2021-20191", "summary": "Insertion of Sensitive Information into Log File in ansible", "description": "A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.", "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": ">= 2.9.0, < 2.9.18", "first_patched_version": { "identifier": "2.9.18" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": ">= 2.10.0, < 2.10.7", "first_patched_version": { "identifier": "2.10.7" } } ], "severity": "medium", "cvss": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cvss_severities": { "cvss_v3": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cvss_v4": { "vector_string": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "score": 8.5 } }, "epss": [ { "percentage": 0.00045, "percentile": "0.16001e0" } ], "cwes": [ { "cwe_id": "CWE-532", "name": "Insertion of Sensitive Information into Log File" } ], "identifiers": [ { "type": "GHSA", "value": "GHSA-8f4m-hccc-8qph" }, { "type": "CVE", "value": "CVE-2021-20191" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191" }, { "url": "https://access.redhat.com/security/cve/cve-2021-20191" }, { "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813" } ], "published_at": "2021-06-01T17:38:00Z", "updated_at": "2021-08-12T23:06:00Z", "withdrawn_at": null }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, "url": "https://api.github.com/repos/octocat/hello-world/dependabot/alerts/1", "html_url": "https://github.com/octocat/hello-world/security/dependabot/1", "created_at": "2022-06-14T15:21:52Z", "updated_at": "2022-06-14T15:21:52Z", "dismissed_at": null, "dismissed_by": null, "dismissed_reason": null, "dismissed_comment": null, "fixed_at": null }

Update a Dependabot alert

The authenticated user must have access to security alerts for the repository to use this endpoint. For more information, see "Granting access to security alerts."

OAuth app tokens and personal access tokens (classic) need the security_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo scope instead.

Tokens de acesso refinados para "Update a Dependabot alert"

Esse ponto de extremidade funciona com os seguintes tipos de token refinados:

O token refinado deve ter os seguintes conjuntos de permissões:

  • "Dependabot alerts" repository permissions (write)

Parâmetros para "Update a Dependabot alert"

Cabeçalhos
accept string

Setting to application/vnd.github+json is recommended.

Parâmetros de caminho
owner string Obrigatório

The account owner of the repository. The name is not case sensitive.

repo string Obrigatório

The name of the repository without the .git extension. The name is not case sensitive.

alert_number integer Obrigatório

The number that identifies a Dependabot alert in its repository. You can find this at the end of the URL for a Dependabot alert within GitHub, or in number fields in the response from the GET /repos/{owner}/{repo}/dependabot/alerts operation.

Parâmetros do corpo
state string Obrigatório

The state of the Dependabot alert. A dismissed_reason must be provided when setting the state to dismissed.

Pode ser um dos: dismissed, open

dismissed_reason string

Required when state is dismissed. A reason for dismissing the alert.

Pode ser um dos: fix_started, inaccurate, no_bandwidth, not_used, tolerable_risk

dismissed_comment string

An optional comment associated with dismissing the alert.

Códigos de status de resposta HTTP para "Update a Dependabot alert"

Código de statusDescrição
200

OK

400

Bad Request

403

Forbidden

404

Resource not found

409

Conflict

422

Validation failed, or the endpoint has been spammed.

Exemplos de código para "Update a Dependabot alert"

Exemplo de solicitação

patch/repos/{owner}/{repo}/dependabot/alerts/{alert_number}
curl -L \ -X PATCH \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/OWNER/REPO/dependabot/alerts/ALERT_NUMBER \ -d '{"state":"dismissed","dismissed_reason":"tolerable_risk","dismissed_comment":"This alert is accurate but we use a sanitizer."}'

Response

Status: 200
{ "number": 2, "state": "dismissed", "dependency": { "package": { "ecosystem": "pip", "name": "django" }, "manifest_path": "path/to/requirements.txt", "scope": "runtime" }, "security_advisory": { "ghsa_id": "GHSA-rf4j-j272-fj86", "cve_id": "CVE-2018-6188", "summary": "Django allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive", "description": "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.", "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 1.11.8, < 1.11.10", "first_patched_version": { "identifier": "1.11.10" } } ], "severity": "high", "cvss": { "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cvss_severities": { "cvss_v3": { "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cvss_v4": { "vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "score": 8.7 } }, "cwes": [ { "cwe_id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" } ], "identifiers": [ { "type": "GHSA", "value": "GHSA-rf4j-j272-fj86" }, { "type": "CVE", "value": "CVE-2018-6188" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188" }, { "url": "https://github.com/advisories/GHSA-rf4j-j272-fj86" }, { "url": "https://usn.ubuntu.com/3559-1/" }, { "url": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/" }, { "url": "http://www.securitytracker.com/id/1040422" } ], "published_at": "2018-10-03T21:13:54Z", "updated_at": "2022-04-26T18:35:37Z", "withdrawn_at": null }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, "url": "https://api.github.com/repos/octocat/hello-world/dependabot/alerts/2", "html_url": "https://github.com/octocat/hello-world/security/dependabot/2", "created_at": "2022-06-15T07:43:03Z", "updated_at": "2022-08-23T14:29:47Z", "dismissed_at": "2022-08-23T14:29:47Z", "dismissed_by": { "login": "octocat", "id": 1, "node_id": "MDQ6VXNlcjE=", "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "User", "site_admin": false }, "dismissed_reason": "tolerable_risk", "dismissed_comment": "This alert is accurate but we use a sanitizer.", "fixed_at": null }