Dependabot 자동 심사 규칙 정보

Dependabot 자동 심사 규칙은(는) 대규모 보안 경고를 더욱 효율적으로 관리하는 데 도움이 되는 강력한 도구입니다. GitHub 사전 설정은(는) GitHub이(가) 큐레이팅한 규칙입니다. 이것을 사용하면 가양성을 상당량 필터링해 제외할 수 있습니다. 사용자 지정 자동 심사 규칙은 경고 무시 또는 다시 알림하거나 Dependabot 보안 업데이트를 트리거할 경고에 대한 제어 권한을 제공합니다.

누가 이 기능을 사용할 수 있는 있나요?

People with write permissions can view Dependabot 자동 심사 규칙 for the repository. People with admin permissions to a repository can enable or disable 자동 심사 규칙 for the repository, as well as create 사용자 지정 자동 심사 규칙. Additionally, organization owners and security managers can set 자동 심사 규칙 at the organization-level and optionally choose to enforce rules for repositories in the organization.

이 문서의 내용

About Dependabot auto-triage rules

Dependabot auto-triage rules allow you to instruct Dependabot to automatically triage Dependabot alerts. You can use auto-triage rules to automatically dismiss or snooze certain alerts, or specify the alerts you want Dependabot to open pull requests for.

There are two types of Dependabot auto-triage rules:

  • GitHub presets
  • Custom auto-triage rules

About GitHub presets

GitHub presets for Dependabot alerts are rules that are available for all repositories.

GitHub presets are rules curated by GitHub. The Dismiss low impact issues for development-scoped dependencies is a GitHub preset rule. This rule auto-dismisses certain types of vulnerabilities that are found in npm dependencies used in development. The rule has been curated to reduce false positives and reduce alert fatigue. You cannot modify GitHub presets. For more information about GitHub presets, see "Using GitHub preset rules to prioritize Dependabot alerts."

The rule is enabled by default for public repositories and can be opted into for private repositories. You can enable the rule for a private repository via the Settings tab for the repository. For more information, see "Enabling the Dismiss low impact issues for development-scoped dependencies rule for your private repository."

About custom auto-triage rules

Custom auto-triage rules for Dependabot alerts are available for organization-owned repositories in GitHub Enterprise Server. This feature requires a license for GitHub Advanced Security.

With custom auto-triage rules, you can create your own rules to automatically dismiss or reopen alerts based on targeted metadata, such as severity, package name, CWE, and more. You can also specify which alerts you want Dependabot to open pull requests for. For more information, see "Customizing auto-triage rules to prioritize Dependabot alerts."

You can create custom rules from the Settings tab of the repository, provided the repository belongs to an organization that has a license for GitHub Advanced Security. For more information, see "Adding custom auto-triage rules to your repository."

About auto-dismissing alerts

Whilst you may find it useful to use auto-triage rules to auto-dismiss alerts, you can still reopen auto-dismissed alerts and filter to see which alerts have been auto-dismissed. For more information, see "Managing alerts that have been automatically dismissed by a Dependabot auto-triage rule."

Additionally, auto-dismissed alerts are still available for reporting and reviewing, and can be auto-reopened if the alert metadata changes, for example:

  • If you change the scope of a dependency from development to production.
  • If GitHub modifies certain metadata for the related advisory.

Auto-dismissed alerts are defined by the resolution:auto-dismiss close reason. Automatic dismissal activity is included in alert webhooks, REST and GraphQL APIs, and the audit log. For more information, see "REST API endpoints for Dependabot alerts," and the "repository_vulnerability_alert" section in "Reviewing the audit log for your organization."

Further reading