Customizing auto-triage rules to prioritize Dependabot alerts

En este artículo

You can create your own auto-triage rules to control which alerts are dismissed or snoozed, and which alerts you want Dependabot to open pull requests for.

Quién puede usar esta característica

People with write permissions can view Dependabot auto-triage rules for the repository. People with admin permissions to a repository can enable or disable auto-triage rules for the repository, as well as create custom auto-triage rules. Additionally, organization owners and security managers can set auto-triage rules at the organization-level and optionally choose to enforce rules for repositories in the organization.

Custom auto-triage rules for Dependabot alerts are available on any public repositories (for free), and on any private repositories, when you have a license for GitHub Advanced Security.

Note: Dependabot auto-triage rules are currently in beta and are subject to change.

About custom auto-triage rules

You can create your own Dependabot auto-triage rules based on alert metadata. You can choose to auto-dismiss alerts indefinitely, or snooze alerts until a patch becomes available, and you can specify which alerts you want Dependabot to open pull requests for.

Since any rules that you create apply to both future and current alerts, you can also use auto-triage rules to manage your Dependabot alerts in bulk.

Repository administrators can create custom auto-triage rules for their public repositories.

Organization owners and security managers can set custom auto-triage rules at the organization-level, and then choose if a rule is enforced or enabled across all public repositories in the organization.

  • Enforced: If an organization-level rule is "enforced", repository administrators cannot edit, disable, or delete the rule.
  • Enabled: If an organization-level rule is "enabled", repository administrators can still disable the rule for their repository.

Note: In the event that an organization-level rule and a repository-level rule specify conflicting behaviors, the action set out by the organization-level rule takes precedence. Dismissal rules always act before rules which trigger Dependabot pull requests.

You can create rules to target alerts using the following metadata:

  • Dependency scope (devDependency or runtime)
  • Package name
  • CWE
  • Severity
  • Patch availability
  • Manifest path (for repository-level rules only)
  • Ecosystem

Understanding how custom auto-triage rules and Dependabot security updates interact

You can use custom auto-triage rules to tailor which alerts you want Dependabot to open pull requests for. However, for an "open a pull request" rule to take effect, you must ensure that Dependabot security updates are disabled for the repository (or repositories) that the rule should apply to.

When Dependabot security updates are enabled for a repository, Dependabot will automatically try to open pull requests to resolve every open Dependabot alert that has an available patch. If you prefer to customize this behavior using a rule, you must leave Dependabot security updates disabled.

For more information about enabling or disabling Dependabot security updates for a repository, see "Configuración de actualizaciones de seguridad de Dependabot."

Adding custom auto-triage rules to your repository

Note: During the public beta, you can create up to 10 custom auto-triage rules for a repository.

  1. En GitHub.com, navega a la página principal del repositorio.

  2. En el nombre del repositorio, haz clic en Configuración. Si no puedes ver la pestaña "Configuración", selecciona el menú desplegable y, a continuación, haz clic en Configuración.

    Captura de pantalla de un encabezado de repositorio en el que se muestran las pestañas. La pestaña "Configuración" está resaltada con un contorno naranja oscuro.

  3. En la sección "Seguridad" de la barra lateral, haga clic en Análisis y seguridad del código.

  4. En “Dependabot alerts”, haga clic en junto a reglas “Dependabot”.

  5. Haga clic en Nueva regla.

  6. En “Nombre de la regla”, describa lo que hará esta regla.

  7. Under "State", use the dropdown menu to select whether the rule should be enabled or disabled for the repository.

  8. En "Alertas objetivo", seleccione los metadatos que desea utilizar para filtrar las alertas.

  9. Under "Rules", select the action you want to take on alerts that match the metadata:

    • Select Dismiss alerts to auto-dismiss alerts that match the metadata. You can choose to dismiss alerts indefinitely or until a patch is available.
    • Select Open a pull request to resolve this alert if you want Dependabot to suggest changes to resolve alerts that match the targeted metadata. Note that this option is unavailable if you have already selected the option to dismiss alerts indefinitely, or if Dependabot security updates are enabled in your repository settings.

  10. Haga clic en Crear regla.

Adding custom auto-triage rules to your organization

Note: During the public beta, you can create up to 25 custom auto-triage rules for your organization.

  1. En la esquina superior derecha de GitHub.com, selecciona la foto de perfil y luego haz clic en Sus organizaciones.

    Captura de pantalla del menú desplegable en la imagen de perfil de @octocat. "Sus organizaciones" se destaca en naranja oscuro.

  2. Junto a la organización, haga clic en Settings.

  3. En la sección "Seguridad" de la barra lateral, haga clic en Análisis y seguridad del código.

  4. En "Dependabot", y luego en "Dependabot alerts", haga clic en junto a reglas “Dependabot”.

  5. Haga clic en Nueva regla.

  6. En “Nombre de la regla”, describa lo que hará esta regla.

  7. Under "State", use the dropdown menu to choose how you want to apply the rule.

    • Choose Enforced to prevent repository administrators from being able to edit, disable, or delete the rule in the repository's settings page.
    • Choose Enabled to set the rule on-by-default for all repositories, while also allowing repository administrators to disable the rule in the repository's settings page.
    • Alternatively, you can choose to set the rule as Disabled, which cannot be overridden at the repository level. Disabled rules are hidden for all repositories.

  8. En "Alertas objetivo", seleccione los metadatos que desea utilizar para filtrar las alertas.

  9. Under "Rules", select the action you want to take on alerts that match the metadata:

    • Select Dismiss alerts to auto-dismiss alerts that match the metadata. You can choose to dismiss alerts indefinitely, or until a patch is available.
    • Select Open a pull request to resolve this alert if you want Dependabot to suggest changes to resolve alerts that match the metadata. Note that this option is unavailable if you have selected the option to dismiss the alerts indefinitely.

  10. Haga clic en Crear regla.

Editing or deleting custom auto-triage rules for your repository

  1. En GitHub.com, navega a la página principal del repositorio.

  2. En el nombre del repositorio, haz clic en Configuración. Si no puedes ver la pestaña "Configuración", selecciona el menú desplegable y, a continuación, haz clic en Configuración.

    Captura de pantalla de un encabezado de repositorio en el que se muestran las pestañas. La pestaña "Configuración" está resaltada con un contorno naranja oscuro.

  3. En la sección "Seguridad" de la barra lateral, haga clic en Análisis y seguridad del código.

  4. En “Dependabot alerts”, haga clic en junto a reglas “Dependabot”.

  5. Under "Repository rules", to the right of the rule that you want to edit or delete, click .

  6. Para editar la regla, realice los cambios en los campos aplicables y, a continuación, haga clic en Guardar cambios.

  7. Para eliminar la regla, en "Zona de peligro", haga clic en Eliminar regla.

  8. En el campo "¿Está seguro de que desea eliminar esta regla?" cuadro de diálogo, revise la información y haga clic en Eliminar regla.

Editing or deleting custom auto-triage rules for your organization

  1. En la esquina superior derecha de GitHub.com, selecciona la foto de perfil y luego haz clic en Sus organizaciones.

    Captura de pantalla del menú desplegable en la imagen de perfil de @octocat. "Sus organizaciones" se destaca en naranja oscuro.

  2. Junto a la organización, haga clic en Settings.

  3. En la sección "Seguridad" de la barra lateral, haga clic en Análisis y seguridad del código.

  4. En "Dependabot", y luego en "Dependabot alerts", haga clic en junto a reglas “Dependabot”.

  5. Under "Organization rules", to the right of the rule that you want to edit or delete, click .

  6. Para editar la regla, realice los cambios en los campos aplicables y, a continuación, haga clic en Guardar cambios.

  7. Para eliminar la regla, en "Zona de peligro", haga clic en Eliminar regla.

  8. En el campo "¿Está seguro de que desea eliminar esta regla?" cuadro de diálogo, revise la información y haga clic en Eliminar regla.