Customizing auto-triage rules to prioritize Dependabot alerts

About 自定义自动分类规则

You can create your own Dependabot 自动分类规则 based on alert metadata. You can choose to auto-dismiss alerts indefinitely, or snooze alerts until a patch becomes available, and you can specify which alerts you want Dependabot to open pull requests for. Rules are applied before alert notifications are sent, so creating custom rules that auto-dismiss low-risk alerts will reduce notification noise from future matching alerts.

Since any rules that you create apply to both future and current alerts, you can also use 自动分类规则 to manage your Dependabot alerts in bulk.

Repository administrators can create 自定义自动分类规则 for their repositories. This requires GitHub Advanced Security.

Organization owners and security managers can set 自定义自动分类规则 at the organization-level, and then choose if a rule is enforced or enabled across all public and private repositories in the organization.

• Enforced: If an organization-level rule is "enforced", repository administrators cannot edit, disable, or delete the rule.
• Enabled: If an organization-level rule is "enabled", repository administrators can still disable the rule for their repository.

You can create rules to target alerts using the following metadata:

• CVE ID
• CWE
• Dependency scope (devDependency or runtime)
• Ecosystem
• GHSA ID
• Manifest path (for repository-level rules only)
• Package name
• Patch availability
• Severity
• EPSS Score

Understanding how 自定义自动分类规则 and Dependabot security updates interact

You can use 自定义自动分类规则 to tailor which alerts you want Dependabot to open pull requests for. However, for an "open a pull request" rule to take effect, you must ensure that Dependabot security updates are disabled for the repository (or repositories) that the rule should apply to.

When Dependabot security updates are enabled for a repository, Dependabot will automatically try to open pull requests to resolve every open Dependabot alert that has an available patch. If you prefer to customize this behavior using a rule, you must leave Dependabot security updates disabled.

For more information about enabling or disabling Dependabot security updates for a repository, see Configuring Dependabot security updates.

Adding 自定义自动分类规则 to your repository

1. 在 GitHub 上，导航到存储库的主页面。

2. 在仓库名称下，单击 “Settings”****。 如果看不到“设置”选项卡，请选择“”下拉菜单，然后单击“设置”。

   

3. 在边栏的“Security”部分中，单击“ Code security”****。

4. 在“Dependabot alerts”下，单击 关闭“Dependabot 规则”。

5. 单击“新建规则”。

6. 在“规则名称”下，描述此规则要执行的操作。

7. Under "State", use the dropdown menu to select whether the rule should be enabled or disabled for the repository.

8. 在“目标警报”下，选择要用于筛选警报的元数据。

9. Under "Rules", select the action you want to take on alerts that match the metadata:

   • Select Dismiss alerts to auto-dismiss alerts that match the metadata. You can choose to dismiss alerts indefinitely or until a patch is available.
   • Select Open a pull request to resolve this alert if you want Dependabot to suggest changes to resolve alerts that match the targeted metadata. Note that this option is unavailable if you have already selected the option to dismiss alerts indefinitely, or if Dependabot security updates are enabled in your repository settings.

10. 单击“创建规则”。

Adding 自定义自动分类规则 to your organization

You can add 自定义自动分类规则 for all eligible repositories in your organization. For more information, see 配置组织的全局安全设置.

Editing or deleting 自定义自动分类规则 for your repository

1. 在 GitHub 上，导航到存储库的主页面。

2. 在仓库名称下，单击 “Settings”****。 如果看不到“设置”选项卡，请选择“”下拉菜单，然后单击“设置”。

   

3. 在边栏的“Security”部分中，单击“ Code security”****。

4. 在“Dependabot alerts”下，单击 关闭“Dependabot 规则”。

5. Under "Repository rules", to the right of the rule that you want to edit or delete, click .

6. 要编辑规则，请对相应的字段进行任何更改，然后单击“保存规则”。

7. 要删除规则，请单击“危险区域”下的“删除规则”。****

8. 在“确定要删除此规则吗？” 对话框中，查看信息，然后单击“删除规则”。****

Editing or deleting 自定义自动分类规则 for your organization

You can edit or delete 自定义自动分类规则 for all eligible repositories in your organization. For more information, see 配置组织的全局安全设置.