Dependabot alerts

Use a API REST para interagir com os alertas do Dependabot com relação a um repositório.

Observação: a capacidade de usar a API REST para gerenciar os alertas do Dependabot está atualmente em versão beta pública e sujeita a alterações.

Sobre Dependabot alerts

É possível exibir os alertas do Dependabot para um repositório e atualizar alertas individuais com a API REST. Para obter mais informações, confira "Sobre alertas do Dependabot".

List Dependabot alerts for an enterprise

Lists Dependabot alerts for repositories that are owned by the specified enterprise. To use this endpoint, you must be a member of the enterprise, and you must use an access token with the repo scope or security_events scope. Alerts are only returned for organizations in the enterprise for which you are an organization owner or a security manager. For more information about security managers, see "Managing security managers in your organization."

Parâmetros para "List Dependabot alerts for an enterprise"

Cabeçalhos
Nome, Type, Descrição
`accept` string Setting to `application/vnd.github+json` is recommended.

Parâmetros de caminho
Nome, Type, Descrição
`enterprise` string Obrigatório The slug version of the enterprise name. You can also substitute this value with the enterprise id.

Parâmetros de consulta
Nome, Type, Descrição
`state` string A comma-separated list of states. If specified, only alerts with these states will be returned. Can be: `auto_dismissed`, `dismissed`, `fixed`, `open`
`severity` string A comma-separated list of severities. If specified, only alerts with these severities will be returned. Can be: `low`, `medium`, `high`, `critical`
`ecosystem` string A comma-separated list of ecosystems. If specified, only alerts for these ecosystems will be returned. Can be: `composer`, `go`, `maven`, `npm`, `nuget`, `pip`, `pub`, `rubygems`, `rust`
`package` string A comma-separated list of package names. If specified, only alerts for these packages will be returned.
`scope` string The scope of the vulnerable dependency. If specified, only alerts with this scope will be returned. Pode ser um dos: `development`, `runtime`
`sort` string The property by which to sort the results. `created` means when the alert was created. `updated` means when the alert's state last changed. Padrão: `created` Pode ser um dos: `created`, `updated`
`direction` string The direction to sort the results by. Padrão: `desc` Pode ser um dos: `asc`, `desc`
`before` string A cursor, as given in the Link header. If specified, the query only searches for results before this cursor.
`after` string A cursor, as given in the Link header. If specified, the query only searches for results after this cursor.
`first` integer Deprecated. The number of results per page (max 100), starting from the first matching result. This parameter must not be used in combination with `last`. Instead, use `per_page` in combination with `after` to fetch the first page of results. Padrão: `30`
`last` integer Deprecated. The number of results per page (max 100), starting from the last matching result. This parameter must not be used in combination with `first`. Instead, use `per_page` in combination with `before` to fetch the last page of results.
`per_page` integer The number of results per page (max 100). Padrão: `30`

Códigos de status de resposta HTTP para "List Dependabot alerts for an enterprise"

Código de status	Descrição
`200`	OK
`304`	Not modified
`403`	Forbidden
`404`	Resource not found
`422`	Validation failed, or the endpoint has been spammed.

Exemplos de código para "List Dependabot alerts for an enterprise"

get/enterprises/{enterprise}/dependabot/alerts

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/enterprises/ENTERPRISE/dependabot/alerts

Response

Status: 200

[
  {
    "number": 2,
    "state": "dismissed",
    "dependency": {
      "package": {
        "ecosystem": "pip",
        "name": "django"
      },
      "manifest_path": "path/to/requirements.txt",
      "scope": "runtime"
    },
    "security_advisory": {
      "ghsa_id": "GHSA-rf4j-j272-fj86",
      "cve_id": "CVE-2018-6188",
      "summary": "Django allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive",
      "description": "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.",
      "vulnerabilities": [
        {
          "package": {
            "ecosystem": "pip",
            "name": "django"
          },
          "severity": "high",
          "vulnerable_version_range": ">= 2.0.0, < 2.0.2",
          "first_patched_version": {
            "identifier": "2.0.2"
          }
        },
        {
          "package": {
            "ecosystem": "pip",
            "name": "django"
          },
          "severity": "high",
          "vulnerable_version_range": ">= 1.11.8, < 1.11.10",
          "first_patched_version": {
            "identifier": "1.11.10"
          }
        }
      ],
      "severity": "high",
      "cvss": {
        "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "score": 7.5
      },
      "cwes": [
        {
          "cwe_id": "CWE-200",
          "name": "Exposure of Sensitive Information to an Unauthorized Actor"
        }
      ],
      "identifiers": [
        {
          "type": "GHSA",
          "value": "GHSA-rf4j-j272-fj86"
        },
        {
          "type": "CVE",
          "value": "CVE-2018-6188"
        }
      ],
      "references": [
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188"
        },
        {
          "url": "https://github.com/advisories/GHSA-rf4j-j272-fj86"
        },
        {
          "url": "https://usn.ubuntu.com/3559-1/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/"
        },
        {
          "url": "http://www.securitytracker.com/id/1040422"
        }
      ],
      "published_at": "2018-10-03T21:13:54Z",
      "updated_at": "2022-04-26T18:35:37Z",
      "withdrawn_at": null
    },
    "security_vulnerability": {
      "package": {
        "ecosystem": "pip",
        "name": "django"
      },
      "severity": "high",
      "vulnerable_version_range": ">= 2.0.0, < 2.0.2",
      "first_patched_version": {
        "identifier": "2.0.2"
      }
    },
    "url": "https://api.github.com/repos/octo-org/octo-repo/dependabot/alerts/2",
    "html_url": "https://github.com/octo-org/octo-repo/security/dependabot/2",
    "created_at": "2022-06-15T07:43:03Z",
    "updated_at": "2022-08-23T14:29:47Z",
    "dismissed_at": "2022-08-23T14:29:47Z",
    "dismissed_by": {
      "login": "octocat",
      "id": 1,
      "node_id": "MDQ6VXNlcjE=",
      "avatar_url": "https://github.com/images/error/octocat_happy.gif",
      "gravatar_id": "",
      "url": "https://api.github.com/users/octocat",
      "html_url": "https://github.com/octocat",
      "followers_url": "https://api.github.com/users/octocat/followers",
      "following_url": "https://api.github.com/users/octocat/following{/other_user}",
      "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
      "organizations_url": "https://api.github.com/users/octocat/orgs",
      "repos_url": "https://api.github.com/users/octocat/repos",
      "events_url": "https://api.github.com/users/octocat/events{/privacy}",
      "received_events_url": "https://api.github.com/users/octocat/received_events",
      "type": "User",
      "site_admin": false
    },
    "dismissed_reason": "tolerable_risk",
    "dismissed_comment": "This alert is accurate but we use a sanitizer.",
    "fixed_at": null,
    "repository": {
      "id": 217723378,
      "node_id": "MDEwOlJlcG9zaXRvcnkyMTc3MjMzNzg=",
      "name": "octo-repo",
      "full_name": "octo-org/octo-repo",
      "owner": {
        "login": "octo-org",
        "id": 6811672,
        "node_id": "MDEyOk9yZ2FuaXphdGlvbjY4MTE2NzI=",
        "avatar_url": "https://avatars3.githubusercontent.com/u/6811672?v=4",
        "gravatar_id": "",
        "url": "https://api.github.com/users/octo-org",
        "html_url": "https://github.com/octo-org",
        "followers_url": "https://api.github.com/users/octo-org/followers",
        "following_url": "https://api.github.com/users/octo-org/following{/other_user}",
        "gists_url": "https://api.github.com/users/octo-org/gists{/gist_id}",
        "starred_url": "https://api.github.com/users/octo-org/starred{/owner}{/repo}",
        "subscriptions_url": "https://api.github.com/users/octo-org/subscriptions",
        "organizations_url": "https://api.github.com/users/octo-org/orgs",
        "repos_url": "https://api.github.com/users/octo-org/repos",
        "events_url": "https://api.github.com/users/octo-org/events{/privacy}",
        "received_events_url": "https://api.github.com/users/octo-org/received_events",
        "type": "Organization",
        "site_admin": false
      },
      "private": true,
      "html_url": "https://github.com/octo-org/octo-repo",
      "description": null,
      "fork": false,
      "url": "https://api.github.com/repos/octo-org/octo-repo",
      "archive_url": "https://api.github.com/repos/octo-org/octo-repo/{archive_format}{/ref}",
      "assignees_url": "https://api.github.com/repos/octo-org/octo-repo/assignees{/user}",
      "blobs_url": "https://api.github.com/repos/octo-org/octo-repo/git/blobs{/sha}",
      "branches_url": "https://api.github.com/repos/octo-org/octo-repo/branches{/branch}",
      "collaborators_url": "https://api.github.com/repos/octo-org/octo-repo/collaborators{/collaborator}",
      "comments_url": "https://api.github.com/repos/octo-org/octo-repo/comments{/number}",
      "commits_url": "https://api.github.com/repos/octo-org/octo-repo/commits{/sha}",
      "compare_url": "https://api.github.com/repos/octo-org/octo-repo/compare/{base}...{head}",
      "contents_url": "https://api.github.com/repos/octo-org/octo-repo/contents/{+path}",
      "contributors_url": "https://api.github.com/repos/octo-org/octo-repo/contributors",
      "deployments_url": "https://api.github.com/repos/octo-org/octo-repo/deployments",
      "downloads_url": "https://api.github.com/repos/octo-org/octo-repo/downloads",
      "events_url": "https://api.github.com/repos/octo-org/octo-repo/events",
      "forks_url": "https://api.github.com/repos/octo-org/octo-repo/forks",
      "git_commits_url": "https://api.github.com/repos/octo-org/octo-repo/git/commits{/sha}",
      "git_refs_url": "https://api.github.com/repos/octo-org/octo-repo/git/refs{/sha}",
      "git_tags_url": "https://api.github.com/repos/octo-org/octo-repo/git/tags{/sha}",
      "hooks_url": "https://api.github.com/repos/octo-org/octo-repo/hooks",
      "issue_comment_url": "https://api.github.com/repos/octo-org/octo-repo/issues/comments{/number}",
      "issue_events_url": "https://api.github.com/repos/octo-org/octo-repo/issues/events{/number}",
      "issues_url": "https://api.github.com/repos/octo-org/octo-repo/issues{/number}",
      "keys_url": "https://api.github.com/repos/octo-org/octo-repo/keys{/key_id}",
      "labels_url": "https://api.github.com/repos/octo-org/octo-repo/labels{/name}",
      "languages_url": "https://api.github.com/repos/octo-org/octo-repo/languages",
      "merges_url": "https://api.github.com/repos/octo-org/octo-repo/merges",
      "milestones_url": "https://api.github.com/repos/octo-org/octo-repo/milestones{/number}",
      "notifications_url": "https://api.github.com/repos/octo-org/octo-repo/notifications{?since,all,participating}",
      "pulls_url": "https://api.github.com/repos/octo-org/octo-repo/pulls{/number}",
      "releases_url": "https://api.github.com/repos/octo-org/octo-repo/releases{/id}",
      "stargazers_url": "https://api.github.com/repos/octo-org/octo-repo/stargazers",
      "statuses_url": "https://api.github.com/repos/octo-org/octo-repo/statuses/{sha}",
      "subscribers_url": "https://api.github.com/repos/octo-org/octo-repo/subscribers",
      "subscription_url": "https://api.github.com/repos/octo-org/octo-repo/subscription",
      "tags_url": "https://api.github.com/repos/octo-org/octo-repo/tags",
      "teams_url": "https://api.github.com/repos/octo-org/octo-repo/teams",
      "trees_url": "https://api.github.com/repos/octo-org/octo-repo/git/trees{/sha}"
    }
  },
  {
    "number": 1,
    "state": "open",
    "dependency": {
      "package": {
        "ecosystem": "pip",
        "name": "ansible"
      },
      "manifest_path": "path/to/requirements.txt",
      "scope": "runtime"
    },
    "security_advisory": {
      "ghsa_id": "GHSA-8f4m-hccc-8qph",
      "cve_id": "CVE-2021-20191",
      "summary": "Insertion of Sensitive Information into Log File in ansible",
      "description": "A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.",
      "vulnerabilities": [
        {
          "package": {
            "ecosystem": "pip",
            "name": "ansible"
          },
          "severity": "medium",
          "vulnerable_version_range": ">= 2.9.0, < 2.9.18",
          "first_patched_version": {
            "identifier": "2.9.18"
          }
        },
        {
          "package": {
            "ecosystem": "pip",
            "name": "ansible"
          },
          "severity": "medium",
          "vulnerable_version_range": "< 2.8.19",
          "first_patched_version": {
            "identifier": "2.8.19"
          }
        },
        {
          "package": {
            "ecosystem": "pip",
            "name": "ansible"
          },
          "severity": "medium",
          "vulnerable_version_range": ">= 2.10.0, < 2.10.7",
          "first_patched_version": {
            "identifier": "2.10.7"
          }
        }
      ],
      "severity": "medium",
      "cvss": {
        "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
        "score": 5.5
      },
      "cwes": [
        {
          "cwe_id": "CWE-532",
          "name": "Insertion of Sensitive Information into Log File"
        }
      ],
      "identifiers": [
        {
          "type": "GHSA",
          "value": "GHSA-8f4m-hccc-8qph"
        },
        {
          "type": "CVE",
          "value": "CVE-2021-20191"
        }
      ],
      "references": [
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191"
        },
        {
          "url": "https://access.redhat.com/security/cve/cve-2021-20191"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813"
        }
      ],
      "published_at": "2021-06-01T17:38:00Z",
      "updated_at": "2021-08-12T23:06:00Z",
      "withdrawn_at": null
    },
    "security_vulnerability": {
      "package": {
        "ecosystem": "pip",
        "name": "ansible"
      },
      "severity": "medium",
      "vulnerable_version_range": "< 2.8.19",
      "first_patched_version": {
        "identifier": "2.8.19"
      }
    },
    "url": "https://api.github.com/repos/octo-org/hello-world/dependabot/alerts/1",
    "html_url": "https://github.com/octo-org/hello-world/security/dependabot/1",
    "created_at": "2022-06-14T15:21:52Z",
    "updated_at": "2022-06-14T15:21:52Z",
    "dismissed_at": null,
    "dismissed_by": null,
    "dismissed_reason": null,
    "dismissed_comment": null,
    "fixed_at": null,
    "repository": {
      "id": 664700648,
      "node_id": "MDEwOlJlcG9zaXRvcnk2NjQ3MDA2NDg=",
      "name": "hello-world",
      "full_name": "octo-org/hello-world",
      "owner": {
        "login": "octo-org",
        "id": 6811672,
        "node_id": "MDEyOk9yZ2FuaXphdGlvbjY4MTE2NzI=",
        "avatar_url": "https://avatars3.githubusercontent.com/u/6811672?v=4",
        "gravatar_id": "",
        "url": "https://api.github.com/users/octo-org",
        "html_url": "https://github.com/octo-org",
        "followers_url": "https://api.github.com/users/octo-org/followers",
        "following_url": "https://api.github.com/users/octo-org/following{/other_user}",
        "gists_url": "https://api.github.com/users/octo-org/gists{/gist_id}",
        "starred_url": "https://api.github.com/users/octo-org/starred{/owner}{/repo}",
        "subscriptions_url": "https://api.github.com/users/octo-org/subscriptions",
        "organizations_url": "https://api.github.com/users/octo-org/orgs",
        "repos_url": "https://api.github.com/users/octo-org/repos",
        "events_url": "https://api.github.com/users/octo-org/events{/privacy}",
        "received_events_url": "https://api.github.com/users/octo-org/received_events",
        "type": "Organization",
        "site_admin": false
      },
      "private": true,
      "html_url": "https://github.com/octo-org/hello-world",
      "description": null,
      "fork": false,
      "url": "https://api.github.com/repos/octo-org/hello-world",
      "archive_url": "https://api.github.com/repos/octo-org/hello-world/{archive_format}{/ref}",
      "assignees_url": "https://api.github.com/repos/octo-org/hello-world/assignees{/user}",
      "blobs_url": "https://api.github.com/repos/octo-org/hello-world/git/blobs{/sha}",
      "branches_url": "https://api.github.com/repos/octo-org/hello-world/branches{/branch}",
      "collaborators_url": "https://api.github.com/repos/octo-org/hello-world/collaborators{/collaborator}",
      "comments_url": "https://api.github.com/repos/octo-org/hello-world/comments{/number}",
      "commits_url": "https://api.github.com/repos/octo-org/hello-world/commits{/sha}",
      "compare_url": "https://api.github.com/repos/octo-org/hello-world/compare/{base}...{head}",
      "contents_url": "https://api.github.com/repos/octo-org/hello-world/contents/{+path}",
      "contributors_url": "https://api.github.com/repos/octo-org/hello-world/contributors",
      "deployments_url": "https://api.github.com/repos/octo-org/hello-world/deployments",
      "downloads_url": "https://api.github.com/repos/octo-org/hello-world/downloads",
      "events_url": "https://api.github.com/repos/octo-org/hello-world/events",
      "forks_url": "https://api.github.com/repos/octo-org/hello-world/forks",
      "git_commits_url": "https://api.github.com/repos/octo-org/hello-world/git/commits{/sha}",
      "git_refs_url": "https://api.github.com/repos/octo-org/hello-world/git/refs{/sha}",
      "git_tags_url": "https://api.github.com/repos/octo-org/hello-world/git/tags{/sha}",
      "hooks_url": "https://api.github.com/repos/octo-org/hello-world/hooks",
      "issue_comment_url": "https://api.github.com/repos/octo-org/hello-world/issues/comments{/number}",
      "issue_events_url": "https://api.github.com/repos/octo-org/hello-world/issues/events{/number}",
      "issues_url": "https://api.github.com/repos/octo-org/hello-world/issues{/number}",
      "keys_url": "https://api.github.com/repos/octo-org/hello-world/keys{/key_id}",
      "labels_url": "https://api.github.com/repos/octo-org/hello-world/labels{/name}",
      "languages_url": "https://api.github.com/repos/octo-org/hello-world/languages",
      "merges_url": "https://api.github.com/repos/octo-org/hello-world/merges",
      "milestones_url": "https://api.github.com/repos/octo-org/hello-world/milestones{/number}",
      "notifications_url": "https://api.github.com/repos/octo-org/hello-world/notifications{?since,all,participating}",
      "pulls_url": "https://api.github.com/repos/octo-org/hello-world/pulls{/number}",
      "releases_url": "https://api.github.com/repos/octo-org/hello-world/releases{/id}",
      "stargazers_url": "https://api.github.com/repos/octo-org/hello-world/stargazers",
      "statuses_url": "https://api.github.com/repos/octo-org/hello-world/statuses/{sha}",
      "subscribers_url": "https://api.github.com/repos/octo-org/hello-world/subscribers",
      "subscription_url": "https://api.github.com/repos/octo-org/hello-world/subscription",
      "tags_url": "https://api.github.com/repos/octo-org/hello-world/tags",
      "teams_url": "https://api.github.com/repos/octo-org/hello-world/teams",
      "trees_url": "https://api.github.com/repos/octo-org/hello-world/git/trees{/sha}"
    }
  }
]

List Dependabot alerts for an organization

Funciona com GitHub Apps

Lists Dependabot alerts for an organization.

To use this endpoint, you must be an owner or security manager for the organization, and you must use an access token with the repo scope or security_events scope.

For public repositories, you may instead use the public_repo scope.

GitHub Apps must have Dependabot alerts read permission to use this endpoint.

Parâmetros para "List Dependabot alerts for an organization"

Cabeçalhos
Nome, Type, Descrição
`accept` string Setting to `application/vnd.github+json` is recommended.

Parâmetros de caminho
Nome, Type, Descrição
`org` string Obrigatório The organization name. The name is not case sensitive.

Parâmetros de consulta
Nome, Type, Descrição
`state` string A comma-separated list of states. If specified, only alerts with these states will be returned. Can be: `auto_dismissed`, `dismissed`, `fixed`, `open`
`severity` string A comma-separated list of severities. If specified, only alerts with these severities will be returned. Can be: `low`, `medium`, `high`, `critical`
`ecosystem` string A comma-separated list of ecosystems. If specified, only alerts for these ecosystems will be returned. Can be: `composer`, `go`, `maven`, `npm`, `nuget`, `pip`, `pub`, `rubygems`, `rust`
`package` string A comma-separated list of package names. If specified, only alerts for these packages will be returned.
`scope` string The scope of the vulnerable dependency. If specified, only alerts with this scope will be returned. Pode ser um dos: `development`, `runtime`
`sort` string The property by which to sort the results. `created` means when the alert was created. `updated` means when the alert's state last changed. Padrão: `created` Pode ser um dos: `created`, `updated`
`direction` string The direction to sort the results by. Padrão: `desc` Pode ser um dos: `asc`, `desc`
`before` string A cursor, as given in the Link header. If specified, the query only searches for results before this cursor.
`after` string A cursor, as given in the Link header. If specified, the query only searches for results after this cursor.
`first` integer Deprecated. The number of results per page (max 100), starting from the first matching result. This parameter must not be used in combination with `last`. Instead, use `per_page` in combination with `after` to fetch the first page of results. Padrão: `30`
`last` integer Deprecated. The number of results per page (max 100), starting from the last matching result. This parameter must not be used in combination with `first`. Instead, use `per_page` in combination with `before` to fetch the last page of results.
`per_page` integer The number of results per page (max 100). Padrão: `30`

Códigos de status de resposta HTTP para "List Dependabot alerts for an organization"

Código de status	Descrição
`200`	OK
`304`	Not modified
`400`	Bad Request
`403`	Forbidden
`404`	Resource not found
`422`	Validation failed, or the endpoint has been spammed.

Exemplos de código para "List Dependabot alerts for an organization"

get/orgs/{org}/dependabot/alerts

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/orgs/ORG/dependabot/alerts

Response

Status: 200

[
  {
    "number": 2,
    "state": "dismissed",
    "dependency": {
      "package": {
        "ecosystem": "pip",
        "name": "django"
      },
      "manifest_path": "path/to/requirements.txt",
      "scope": "runtime"
    },
    "security_advisory": {
      "ghsa_id": "GHSA-rf4j-j272-fj86",
      "cve_id": "CVE-2018-6188",
      "summary": "Django allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive",
      "description": "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.",
      "vulnerabilities": [
        {
          "package": {
            "ecosystem": "pip",
            "name": "django"
          },
          "severity": "high",
          "vulnerable_version_range": ">= 2.0.0, < 2.0.2",
          "first_patched_version": {
            "identifier": "2.0.2"
          }
        },
        {
          "package": {
            "ecosystem": "pip",
            "name": "django"
          },
          "severity": "high",
          "vulnerable_version_range": ">= 1.11.8, < 1.11.10",
          "first_patched_version": {
            "identifier": "1.11.10"
          }
        }
      ],
      "severity": "high",
      "cvss": {
        "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "score": 7.5
      },
      "cwes": [
        {
          "cwe_id": "CWE-200",
          "name": "Exposure of Sensitive Information to an Unauthorized Actor"
        }
      ],
      "identifiers": [
        {
          "type": "GHSA",
          "value": "GHSA-rf4j-j272-fj86"
        },
        {
          "type": "CVE",
          "value": "CVE-2018-6188"
        }
      ],
      "references": [
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188"
        },
        {
          "url": "https://github.com/advisories/GHSA-rf4j-j272-fj86"
        },
        {
          "url": "https://usn.ubuntu.com/3559-1/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/"
        },
        {
          "url": "http://www.securitytracker.com/id/1040422"
        }
      ],
      "published_at": "2018-10-03T21:13:54Z",
      "updated_at": "2022-04-26T18:35:37Z",
      "withdrawn_at": null
    },
    "security_vulnerability": {
      "package": {
        "ecosystem": "pip",
        "name": "django"
      },
      "severity": "high",
      "vulnerable_version_range": ">= 2.0.0, < 2.0.2",
      "first_patched_version": {
        "identifier": "2.0.2"
      }
    },
    "url": "https://api.github.com/repos/octo-org/octo-repo/dependabot/alerts/2",
    "html_url": "https://github.com/octo-org/octo-repo/security/dependabot/2",
    "created_at": "2022-06-15T07:43:03Z",
    "updated_at": "2022-08-23T14:29:47Z",
    "dismissed_at": "2022-08-23T14:29:47Z",
    "dismissed_by": {
      "login": "octocat",
      "id": 1,
      "node_id": "MDQ6VXNlcjE=",
      "avatar_url": "https://github.com/images/error/octocat_happy.gif",
      "gravatar_id": "",
      "url": "https://api.github.com/users/octocat",
      "html_url": "https://github.com/octocat",
      "followers_url": "https://api.github.com/users/octocat/followers",
      "following_url": "https://api.github.com/users/octocat/following{/other_user}",
      "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
      "organizations_url": "https://api.github.com/users/octocat/orgs",
      "repos_url": "https://api.github.com/users/octocat/repos",
      "events_url": "https://api.github.com/users/octocat/events{/privacy}",
      "received_events_url": "https://api.github.com/users/octocat/received_events",
      "type": "User",
      "site_admin": false
    },
    "dismissed_reason": "tolerable_risk",
    "dismissed_comment": "This alert is accurate but we use a sanitizer.",
    "fixed_at": null,
    "repository": {
      "id": 217723378,
      "node_id": "MDEwOlJlcG9zaXRvcnkyMTc3MjMzNzg=",
      "name": "octo-repo",
      "full_name": "octo-org/octo-repo",
      "owner": {
        "login": "octo-org",
        "id": 6811672,
        "node_id": "MDEyOk9yZ2FuaXphdGlvbjY4MTE2NzI=",
        "avatar_url": "https://avatars3.githubusercontent.com/u/6811672?v=4",
        "gravatar_id": "",
        "url": "https://api.github.com/users/octo-org",
        "html_url": "https://github.com/octo-org",
        "followers_url": "https://api.github.com/users/octo-org/followers",
        "following_url": "https://api.github.com/users/octo-org/following{/other_user}",
        "gists_url": "https://api.github.com/users/octo-org/gists{/gist_id}",
        "starred_url": "https://api.github.com/users/octo-org/starred{/owner}{/repo}",
        "subscriptions_url": "https://api.github.com/users/octo-org/subscriptions",
        "organizations_url": "https://api.github.com/users/octo-org/orgs",
        "repos_url": "https://api.github.com/users/octo-org/repos",
        "events_url": "https://api.github.com/users/octo-org/events{/privacy}",
        "received_events_url": "https://api.github.com/users/octo-org/received_events",
        "type": "Organization",
        "site_admin": false
      },
      "private": true,
      "html_url": "https://github.com/octo-org/octo-repo",
      "description": null,
      "fork": false,
      "url": "https://api.github.com/repos/octo-org/octo-repo",
      "archive_url": "https://api.github.com/repos/octo-org/octo-repo/{archive_format}{/ref}",
      "assignees_url": "https://api.github.com/repos/octo-org/octo-repo/assignees{/user}",
      "blobs_url": "https://api.github.com/repos/octo-org/octo-repo/git/blobs{/sha}",
      "branches_url": "https://api.github.com/repos/octo-org/octo-repo/branches{/branch}",
      "collaborators_url": "https://api.github.com/repos/octo-org/octo-repo/collaborators{/collaborator}",
      "comments_url": "https://api.github.com/repos/octo-org/octo-repo/comments{/number}",
      "commits_url": "https://api.github.com/repos/octo-org/octo-repo/commits{/sha}",
      "compare_url": "https://api.github.com/repos/octo-org/octo-repo/compare/{base}...{head}",
      "contents_url": "https://api.github.com/repos/octo-org/octo-repo/contents/{+path}",
      "contributors_url": "https://api.github.com/repos/octo-org/octo-repo/contributors",
      "deployments_url": "https://api.github.com/repos/octo-org/octo-repo/deployments",
      "downloads_url": "https://api.github.com/repos/octo-org/octo-repo/downloads",
      "events_url": "https://api.github.com/repos/octo-org/octo-repo/events",
      "forks_url": "https://api.github.com/repos/octo-org/octo-repo/forks",
      "git_commits_url": "https://api.github.com/repos/octo-org/octo-repo/git/commits{/sha}",
      "git_refs_url": "https://api.github.com/repos/octo-org/octo-repo/git/refs{/sha}",
      "git_tags_url": "https://api.github.com/repos/octo-org/octo-repo/git/tags{/sha}",
      "hooks_url": "https://api.github.com/repos/octo-org/octo-repo/hooks",
      "issue_comment_url": "https://api.github.com/repos/octo-org/octo-repo/issues/comments{/number}",
      "issue_events_url": "https://api.github.com/repos/octo-org/octo-repo/issues/events{/number}",
      "issues_url": "https://api.github.com/repos/octo-org/octo-repo/issues{/number}",
      "keys_url": "https://api.github.com/repos/octo-org/octo-repo/keys{/key_id}",
      "labels_url": "https://api.github.com/repos/octo-org/octo-repo/labels{/name}",
      "languages_url": "https://api.github.com/repos/octo-org/octo-repo/languages",
      "merges_url": "https://api.github.com/repos/octo-org/octo-repo/merges",
      "milestones_url": "https://api.github.com/repos/octo-org/octo-repo/milestones{/number}",
      "notifications_url": "https://api.github.com/repos/octo-org/octo-repo/notifications{?since,all,participating}",
      "pulls_url": "https://api.github.com/repos/octo-org/octo-repo/pulls{/number}",
      "releases_url": "https://api.github.com/repos/octo-org/octo-repo/releases{/id}",
      "stargazers_url": "https://api.github.com/repos/octo-org/octo-repo/stargazers",
      "statuses_url": "https://api.github.com/repos/octo-org/octo-repo/statuses/{sha}",
      "subscribers_url": "https://api.github.com/repos/octo-org/octo-repo/subscribers",
      "subscription_url": "https://api.github.com/repos/octo-org/octo-repo/subscription",
      "tags_url": "https://api.github.com/repos/octo-org/octo-repo/tags",
      "teams_url": "https://api.github.com/repos/octo-org/octo-repo/teams",
      "trees_url": "https://api.github.com/repos/octo-org/octo-repo/git/trees{/sha}"
    }
  },
  {
    "number": 1,
    "state": "open",
    "dependency": {
      "package": {
        "ecosystem": "pip",
        "name": "ansible"
      },
      "manifest_path": "path/to/requirements.txt",
      "scope": "runtime"
    },
    "security_advisory": {
      "ghsa_id": "GHSA-8f4m-hccc-8qph",
      "cve_id": "CVE-2021-20191",
      "summary": "Insertion of Sensitive Information into Log File in ansible",
      "description": "A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.",
      "vulnerabilities": [
        {
          "package": {
            "ecosystem": "pip",
            "name": "ansible"
          },
          "severity": "medium",
          "vulnerable_version_range": ">= 2.9.0, < 2.9.18",
          "first_patched_version": {
            "identifier": "2.9.18"
          }
        },
        {
          "package": {
            "ecosystem": "pip",
            "name": "ansible"
          },
          "severity": "medium",
          "vulnerable_version_range": "< 2.8.19",
          "first_patched_version": {
            "identifier": "2.8.19"
          }
        },
        {
          "package": {
            "ecosystem": "pip",
            "name": "ansible"
          },
          "severity": "medium",
          "vulnerable_version_range": ">= 2.10.0, < 2.10.7",
          "first_patched_version": {
            "identifier": "2.10.7"
          }
        }
      ],
      "severity": "medium",
      "cvss": {
        "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
        "score": 5.5
      },
      "cwes": [
        {
          "cwe_id": "CWE-532",
          "name": "Insertion of Sensitive Information into Log File"
        }
      ],
      "identifiers": [
        {
          "type": "GHSA",
          "value": "GHSA-8f4m-hccc-8qph"
        },
        {
          "type": "CVE",
          "value": "CVE-2021-20191"
        }
      ],
      "references": [
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191"
        },
        {
          "url": "https://access.redhat.com/security/cve/cve-2021-20191"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813"
        }
      ],
      "published_at": "2021-06-01T17:38:00Z",
      "updated_at": "2021-08-12T23:06:00Z",
      "withdrawn_at": null
    },
    "security_vulnerability": {
      "package": {
        "ecosystem": "pip",
        "name": "ansible"
      },
      "severity": "medium",
      "vulnerable_version_range": "< 2.8.19",
      "first_patched_version": {
        "identifier": "2.8.19"
      }
    },
    "url": "https://api.github.com/repos/octo-org/hello-world/dependabot/alerts/1",
    "html_url": "https://github.com/octo-org/hello-world/security/dependabot/1",
    "created_at": "2022-06-14T15:21:52Z",
    "updated_at": "2022-06-14T15:21:52Z",
    "dismissed_at": null,
    "dismissed_by": null,
    "dismissed_reason": null,
    "dismissed_comment": null,
    "fixed_at": null,
    "repository": {
      "id": 664700648,
      "node_id": "MDEwOlJlcG9zaXRvcnk2NjQ3MDA2NDg=",
      "name": "hello-world",
      "full_name": "octo-org/hello-world",
      "owner": {
        "login": "octo-org",
        "id": 6811672,
        "node_id": "MDEyOk9yZ2FuaXphdGlvbjY4MTE2NzI=",
        "avatar_url": "https://avatars3.githubusercontent.com/u/6811672?v=4",
        "gravatar_id": "",
        "url": "https://api.github.com/users/octo-org",
        "html_url": "https://github.com/octo-org",
        "followers_url": "https://api.github.com/users/octo-org/followers",
        "following_url": "https://api.github.com/users/octo-org/following{/other_user}",
        "gists_url": "https://api.github.com/users/octo-org/gists{/gist_id}",
        "starred_url": "https://api.github.com/users/octo-org/starred{/owner}{/repo}",
        "subscriptions_url": "https://api.github.com/users/octo-org/subscriptions",
        "organizations_url": "https://api.github.com/users/octo-org/orgs",
        "repos_url": "https://api.github.com/users/octo-org/repos",
        "events_url": "https://api.github.com/users/octo-org/events{/privacy}",
        "received_events_url": "https://api.github.com/users/octo-org/received_events",
        "type": "Organization",
        "site_admin": false
      },
      "private": true,
      "html_url": "https://github.com/octo-org/hello-world",
      "description": null,
      "fork": false,
      "url": "https://api.github.com/repos/octo-org/hello-world",
      "archive_url": "https://api.github.com/repos/octo-org/hello-world/{archive_format}{/ref}",
      "assignees_url": "https://api.github.com/repos/octo-org/hello-world/assignees{/user}",
      "blobs_url": "https://api.github.com/repos/octo-org/hello-world/git/blobs{/sha}",
      "branches_url": "https://api.github.com/repos/octo-org/hello-world/branches{/branch}",
      "collaborators_url": "https://api.github.com/repos/octo-org/hello-world/collaborators{/collaborator}",
      "comments_url": "https://api.github.com/repos/octo-org/hello-world/comments{/number}",
      "commits_url": "https://api.github.com/repos/octo-org/hello-world/commits{/sha}",
      "compare_url": "https://api.github.com/repos/octo-org/hello-world/compare/{base}...{head}",
      "contents_url": "https://api.github.com/repos/octo-org/hello-world/contents/{+path}",
      "contributors_url": "https://api.github.com/repos/octo-org/hello-world/contributors",
      "deployments_url": "https://api.github.com/repos/octo-org/hello-world/deployments",
      "downloads_url": "https://api.github.com/repos/octo-org/hello-world/downloads",
      "events_url": "https://api.github.com/repos/octo-org/hello-world/events",
      "forks_url": "https://api.github.com/repos/octo-org/hello-world/forks",
      "git_commits_url": "https://api.github.com/repos/octo-org/hello-world/git/commits{/sha}",
      "git_refs_url": "https://api.github.com/repos/octo-org/hello-world/git/refs{/sha}",
      "git_tags_url": "https://api.github.com/repos/octo-org/hello-world/git/tags{/sha}",
      "hooks_url": "https://api.github.com/repos/octo-org/hello-world/hooks",
      "issue_comment_url": "https://api.github.com/repos/octo-org/hello-world/issues/comments{/number}",
      "issue_events_url": "https://api.github.com/repos/octo-org/hello-world/issues/events{/number}",
      "issues_url": "https://api.github.com/repos/octo-org/hello-world/issues{/number}",
      "keys_url": "https://api.github.com/repos/octo-org/hello-world/keys{/key_id}",
      "labels_url": "https://api.github.com/repos/octo-org/hello-world/labels{/name}",
      "languages_url": "https://api.github.com/repos/octo-org/hello-world/languages",
      "merges_url": "https://api.github.com/repos/octo-org/hello-world/merges",
      "milestones_url": "https://api.github.com/repos/octo-org/hello-world/milestones{/number}",
      "notifications_url": "https://api.github.com/repos/octo-org/hello-world/notifications{?since,all,participating}",
      "pulls_url": "https://api.github.com/repos/octo-org/hello-world/pulls{/number}",
      "releases_url": "https://api.github.com/repos/octo-org/hello-world/releases{/id}",
      "stargazers_url": "https://api.github.com/repos/octo-org/hello-world/stargazers",
      "statuses_url": "https://api.github.com/repos/octo-org/hello-world/statuses/{sha}",
      "subscribers_url": "https://api.github.com/repos/octo-org/hello-world/subscribers",
      "subscription_url": "https://api.github.com/repos/octo-org/hello-world/subscription",
      "tags_url": "https://api.github.com/repos/octo-org/hello-world/tags",
      "teams_url": "https://api.github.com/repos/octo-org/hello-world/teams",
      "trees_url": "https://api.github.com/repos/octo-org/hello-world/git/trees{/sha}"
    }
  }
]

List Dependabot alerts for a repository

Funciona com GitHub Apps

You must use an access token with the security_events scope to use this endpoint with private repositories. You can also use tokens with the public_repo scope for public repositories only. GitHub Apps must have Dependabot alerts read permission to use this endpoint.

Parâmetros para "List Dependabot alerts for a repository"

Cabeçalhos
Nome, Type, Descrição
`accept` string Setting to `application/vnd.github+json` is recommended.

Parâmetros de caminho
Nome, Type, Descrição
`owner` string Obrigatório The account owner of the repository. The name is not case sensitive.
`repo` string Obrigatório The name of the repository without the `.git` extension. The name is not case sensitive.

Parâmetros de consulta
Nome, Type, Descrição
`state` string A comma-separated list of states. If specified, only alerts with these states will be returned. Can be: `auto_dismissed`, `dismissed`, `fixed`, `open`
`severity` string A comma-separated list of severities. If specified, only alerts with these severities will be returned. Can be: `low`, `medium`, `high`, `critical`
`ecosystem` string A comma-separated list of ecosystems. If specified, only alerts for these ecosystems will be returned. Can be: `composer`, `go`, `maven`, `npm`, `nuget`, `pip`, `pub`, `rubygems`, `rust`
`package` string A comma-separated list of package names. If specified, only alerts for these packages will be returned.
`manifest` string A comma-separated list of full manifest paths. If specified, only alerts for these manifests will be returned.
`scope` string The scope of the vulnerable dependency. If specified, only alerts with this scope will be returned. Pode ser um dos: `development`, `runtime`
`sort` string The property by which to sort the results. `created` means when the alert was created. `updated` means when the alert's state last changed. Padrão: `created` Pode ser um dos: `created`, `updated`
`direction` string The direction to sort the results by. Padrão: `desc` Pode ser um dos: `asc`, `desc`
`page` integer Deprecated. Page number of the results to fetch. Use cursor-based pagination with `before` or `after` instead. Padrão: `1`
`per_page` integer The number of results per page (max 100). Padrão: `30`
`before` string A cursor, as given in the Link header. If specified, the query only searches for results before this cursor.
`after` string A cursor, as given in the Link header. If specified, the query only searches for results after this cursor.
`first` integer Deprecated. The number of results per page (max 100), starting from the first matching result. This parameter must not be used in combination with `last`. Instead, use `per_page` in combination with `after` to fetch the first page of results. Padrão: `30`
`last` integer Deprecated. The number of results per page (max 100), starting from the last matching result. This parameter must not be used in combination with `first`. Instead, use `per_page` in combination with `before` to fetch the last page of results.

Códigos de status de resposta HTTP para "List Dependabot alerts for a repository"

Código de status	Descrição
`200`	OK
`304`	Not modified
`400`	Bad Request
`403`	Forbidden
`404`	Resource not found
`422`	Validation failed, or the endpoint has been spammed.

Exemplos de código para "List Dependabot alerts for a repository"

get/repos/{owner}/{repo}/dependabot/alerts

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/repos/OWNER/REPO/dependabot/alerts

Response

Status: 200

[
  {
    "number": 2,
    "state": "dismissed",
    "dependency": {
      "package": {
        "ecosystem": "pip",
        "name": "django"
      },
      "manifest_path": "path/to/requirements.txt",
      "scope": "runtime"
    },
    "security_advisory": {
      "ghsa_id": "GHSA-rf4j-j272-fj86",
      "cve_id": "CVE-2018-6188",
      "summary": "Django allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive",
      "description": "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.",
      "vulnerabilities": [
        {
          "package": {
            "ecosystem": "pip",
            "name": "django"
          },
          "severity": "high",
          "vulnerable_version_range": ">= 2.0.0, < 2.0.2",
          "first_patched_version": {
            "identifier": "2.0.2"
          }
        },
        {
          "package": {
            "ecosystem": "pip",
            "name": "django"
          },
          "severity": "high",
          "vulnerable_version_range": ">= 1.11.8, < 1.11.10",
          "first_patched_version": {
            "identifier": "1.11.10"
          }
        }
      ],
      "severity": "high",
      "cvss": {
        "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "score": 7.5
      },
      "cwes": [
        {
          "cwe_id": "CWE-200",
          "name": "Exposure of Sensitive Information to an Unauthorized Actor"
        }
      ],
      "identifiers": [
        {
          "type": "GHSA",
          "value": "GHSA-rf4j-j272-fj86"
        },
        {
          "type": "CVE",
          "value": "CVE-2018-6188"
        }
      ],
      "references": [
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188"
        },
        {
          "url": "https://github.com/advisories/GHSA-rf4j-j272-fj86"
        },
        {
          "url": "https://usn.ubuntu.com/3559-1/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/"
        },
        {
          "url": "http://www.securitytracker.com/id/1040422"
        }
      ],
      "published_at": "2018-10-03T21:13:54Z",
      "updated_at": "2022-04-26T18:35:37Z",
      "withdrawn_at": null
    },
    "security_vulnerability": {
      "package": {
        "ecosystem": "pip",
        "name": "django"
      },
      "severity": "high",
      "vulnerable_version_range": ">= 2.0.0, < 2.0.2",
      "first_patched_version": {
        "identifier": "2.0.2"
      }
    },
    "url": "https://api.github.com/repos/octocat/hello-world/dependabot/alerts/2",
    "html_url": "https://github.com/octocat/hello-world/security/dependabot/2",
    "created_at": "2022-06-15T07:43:03Z",
    "updated_at": "2022-08-23T14:29:47Z",
    "dismissed_at": "2022-08-23T14:29:47Z",
    "dismissed_by": {
      "login": "octocat",
      "id": 1,
      "node_id": "MDQ6VXNlcjE=",
      "avatar_url": "https://github.com/images/error/octocat_happy.gif",
      "gravatar_id": "",
      "url": "https://api.github.com/users/octocat",
      "html_url": "https://github.com/octocat",
      "followers_url": "https://api.github.com/users/octocat/followers",
      "following_url": "https://api.github.com/users/octocat/following{/other_user}",
      "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
      "organizations_url": "https://api.github.com/users/octocat/orgs",
      "repos_url": "https://api.github.com/users/octocat/repos",
      "events_url": "https://api.github.com/users/octocat/events{/privacy}",
      "received_events_url": "https://api.github.com/users/octocat/received_events",
      "type": "User",
      "site_admin": false
    },
    "dismissed_reason": "tolerable_risk",
    "dismissed_comment": "This alert is accurate but we use a sanitizer.",
    "fixed_at": null
  },
  {
    "number": 1,
    "state": "open",
    "dependency": {
      "package": {
        "ecosystem": "pip",
        "name": "ansible"
      },
      "manifest_path": "path/to/requirements.txt",
      "scope": "runtime"
    },
    "security_advisory": {
      "ghsa_id": "GHSA-8f4m-hccc-8qph",
      "cve_id": "CVE-2021-20191",
      "summary": "Insertion of Sensitive Information into Log File in ansible",
      "description": "A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.",
      "vulnerabilities": [
        {
          "package": {
            "ecosystem": "pip",
            "name": "ansible"
          },
          "severity": "medium",
          "vulnerable_version_range": ">= 2.9.0, < 2.9.18",
          "first_patched_version": {
            "identifier": "2.9.18"
          }
        },
        {
          "package": {
            "ecosystem": "pip",
            "name": "ansible"
          },
          "severity": "medium",
          "vulnerable_version_range": "< 2.8.19",
          "first_patched_version": {
            "identifier": "2.8.19"
          }
        },
        {
          "package": {
            "ecosystem": "pip",
            "name": "ansible"
          },
          "severity": "medium",
          "vulnerable_version_range": ">= 2.10.0, < 2.10.7",
          "first_patched_version": {
            "identifier": "2.10.7"
          }
        }
      ],
      "severity": "medium",
      "cvss": {
        "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
        "score": 5.5
      },
      "cwes": [
        {
          "cwe_id": "CWE-532",
          "name": "Insertion of Sensitive Information into Log File"
        }
      ],
      "identifiers": [
        {
          "type": "GHSA",
          "value": "GHSA-8f4m-hccc-8qph"
        },
        {
          "type": "CVE",
          "value": "CVE-2021-20191"
        }
      ],
      "references": [
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191"
        },
        {
          "url": "https://access.redhat.com/security/cve/cve-2021-20191"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813"
        }
      ],
      "published_at": "2021-06-01T17:38:00Z",
      "updated_at": "2021-08-12T23:06:00Z",
      "withdrawn_at": null
    },
    "security_vulnerability": {
      "package": {
        "ecosystem": "pip",
        "name": "ansible"
      },
      "severity": "medium",
      "vulnerable_version_range": "< 2.8.19",
      "first_patched_version": {
        "identifier": "2.8.19"
      }
    },
    "url": "https://api.github.com/repos/octocat/hello-world/dependabot/alerts/1",
    "html_url": "https://github.com/octocat/hello-world/security/dependabot/1",
    "created_at": "2022-06-14T15:21:52Z",
    "updated_at": "2022-06-14T15:21:52Z",
    "dismissed_at": null,
    "dismissed_by": null,
    "dismissed_reason": null,
    "dismissed_comment": null,
    "fixed_at": null
  }
]

Get a Dependabot alert

Funciona com GitHub Apps

You must use an access token with the security_events scope to use this endpoint with private repositories. You can also use tokens with the public_repo scope for public repositories only. GitHub Apps must have Dependabot alerts read permission to use this endpoint.

Parâmetros para "Get a Dependabot alert"

Cabeçalhos
Nome, Type, Descrição
`accept` string Setting to `application/vnd.github+json` is recommended.

Parâmetros de caminho
Nome, Type, Descrição
`owner` string Obrigatório The account owner of the repository. The name is not case sensitive.
`repo` string Obrigatório The name of the repository without the `.git` extension. The name is not case sensitive.
`alert_number` integer Obrigatório The number that identifies a Dependabot alert in its repository. You can find this at the end of the URL for a Dependabot alert within GitHub, or in `number` fields in the response from the `GET /repos/{owner}/{repo}/dependabot/alerts` operation.

Códigos de status de resposta HTTP para "Get a Dependabot alert"

Código de status	Descrição
`200`	OK
`304`	Not modified
`403`	Forbidden
`404`	Resource not found

Exemplos de código para "Get a Dependabot alert"

get/repos/{owner}/{repo}/dependabot/alerts/{alert_number}

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/repos/OWNER/REPO/dependabot/alerts/ALERT_NUMBER

Response

Status: 200

{
  "number": 1,
  "state": "open",
  "dependency": {
    "package": {
      "ecosystem": "pip",
      "name": "ansible"
    },
    "manifest_path": "path/to/requirements.txt",
    "scope": "runtime"
  },
  "security_advisory": {
    "ghsa_id": "GHSA-8f4m-hccc-8qph",
    "cve_id": "CVE-2021-20191",
    "summary": "Insertion of Sensitive Information into Log File in ansible",
    "description": "A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.",
    "vulnerabilities": [
      {
        "package": {
          "ecosystem": "pip",
          "name": "ansible"
        },
        "severity": "medium",
        "vulnerable_version_range": ">= 2.9.0, < 2.9.18",
        "first_patched_version": {
          "identifier": "2.9.18"
        }
      },
      {
        "package": {
          "ecosystem": "pip",
          "name": "ansible"
        },
        "severity": "medium",
        "vulnerable_version_range": "< 2.8.19",
        "first_patched_version": {
          "identifier": "2.8.19"
        }
      },
      {
        "package": {
          "ecosystem": "pip",
          "name": "ansible"
        },
        "severity": "medium",
        "vulnerable_version_range": ">= 2.10.0, < 2.10.7",
        "first_patched_version": {
          "identifier": "2.10.7"
        }
      }
    ],
    "severity": "medium",
    "cvss": {
      "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "score": 5.5
    },
    "cwes": [
      {
        "cwe_id": "CWE-532",
        "name": "Insertion of Sensitive Information into Log File"
      }
    ],
    "identifiers": [
      {
        "type": "GHSA",
        "value": "GHSA-8f4m-hccc-8qph"
      },
      {
        "type": "CVE",
        "value": "CVE-2021-20191"
      }
    ],
    "references": [
      {
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191"
      },
      {
        "url": "https://access.redhat.com/security/cve/cve-2021-20191"
      },
      {
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813"
      }
    ],
    "published_at": "2021-06-01T17:38:00Z",
    "updated_at": "2021-08-12T23:06:00Z",
    "withdrawn_at": null
  },
  "security_vulnerability": {
    "package": {
      "ecosystem": "pip",
      "name": "ansible"
    },
    "severity": "medium",
    "vulnerable_version_range": "< 2.8.19",
    "first_patched_version": {
      "identifier": "2.8.19"
    }
  },
  "url": "https://api.github.com/repos/octocat/hello-world/dependabot/alerts/1",
  "html_url": "https://github.com/octocat/hello-world/security/dependabot/1",
  "created_at": "2022-06-14T15:21:52Z",
  "updated_at": "2022-06-14T15:21:52Z",
  "dismissed_at": null,
  "dismissed_by": null,
  "dismissed_reason": null,
  "dismissed_comment": null,
  "fixed_at": null
}

Update a Dependabot alert

Funciona com GitHub Apps

You must use an access token with the security_events scope to use this endpoint with private repositories. You can also use tokens with the public_repo scope for public repositories only. GitHub Apps must have Dependabot alerts write permission to use this endpoint.

To use this endpoint, you must have access to security alerts for the repository. For more information, see "Granting access to security alerts."

Parâmetros para "Update a Dependabot alert"

Cabeçalhos
Nome, Type, Descrição
`accept` string Setting to `application/vnd.github+json` is recommended.

Parâmetros de caminho
Nome, Type, Descrição
`owner` string Obrigatório The account owner of the repository. The name is not case sensitive.
`repo` string Obrigatório The name of the repository without the `.git` extension. The name is not case sensitive.
`alert_number` integer Obrigatório The number that identifies a Dependabot alert in its repository. You can find this at the end of the URL for a Dependabot alert within GitHub, or in `number` fields in the response from the `GET /repos/{owner}/{repo}/dependabot/alerts` operation.

Parâmetros do corpo
Nome, Type, Descrição
`state` string Obrigatório The state of the Dependabot alert. A `dismissed_reason` must be provided when setting the state to `dismissed`. Pode ser um dos: `dismissed`, `open`
`dismissed_reason` string Required when `state` is `dismissed`. A reason for dismissing the alert. Pode ser um dos: `fix_started`, `inaccurate`, `no_bandwidth`, `not_used`, `tolerable_risk`
`dismissed_comment` string An optional comment associated with dismissing the alert.

Códigos de status de resposta HTTP para "Update a Dependabot alert"

Código de status	Descrição
`200`	OK
`400`	Bad Request
`403`	Forbidden
`404`	Resource not found
`409`	Conflict
`422`	Validation failed, or the endpoint has been spammed.

Exemplos de código para "Update a Dependabot alert"

patch/repos/{owner}/{repo}/dependabot/alerts/{alert_number}

curl -L \
  -X PATCH \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/repos/OWNER/REPO/dependabot/alerts/ALERT_NUMBER \
  -d '{"state":"dismissed","dismissed_reason":"tolerable_risk","dismissed_comment":"This alert is accurate but we use a sanitizer."}'

Response

Status: 200

{
  "number": 2,
  "state": "dismissed",
  "dependency": {
    "package": {
      "ecosystem": "pip",
      "name": "django"
    },
    "manifest_path": "path/to/requirements.txt",
    "scope": "runtime"
  },
  "security_advisory": {
    "ghsa_id": "GHSA-rf4j-j272-fj86",
    "cve_id": "CVE-2018-6188",
    "summary": "Django allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive",
    "description": "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.",
    "vulnerabilities": [
      {
        "package": {
          "ecosystem": "pip",
          "name": "django"
        },
        "severity": "high",
        "vulnerable_version_range": ">= 2.0.0, < 2.0.2",
        "first_patched_version": {
          "identifier": "2.0.2"
        }
      },
      {
        "package": {
          "ecosystem": "pip",
          "name": "django"
        },
        "severity": "high",
        "vulnerable_version_range": ">= 1.11.8, < 1.11.10",
        "first_patched_version": {
          "identifier": "1.11.10"
        }
      }
    ],
    "severity": "high",
    "cvss": {
      "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "score": 7.5
    },
    "cwes": [
      {
        "cwe_id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      }
    ],
    "identifiers": [
      {
        "type": "GHSA",
        "value": "GHSA-rf4j-j272-fj86"
      },
      {
        "type": "CVE",
        "value": "CVE-2018-6188"
      }
    ],
    "references": [
      {
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188"
      },
      {
        "url": "https://github.com/advisories/GHSA-rf4j-j272-fj86"
      },
      {
        "url": "https://usn.ubuntu.com/3559-1/"
      },
      {
        "url": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/"
      },
      {
        "url": "http://www.securitytracker.com/id/1040422"
      }
    ],
    "published_at": "2018-10-03T21:13:54Z",
    "updated_at": "2022-04-26T18:35:37Z",
    "withdrawn_at": null
  },
  "security_vulnerability": {
    "package": {
      "ecosystem": "pip",
      "name": "django"
    },
    "severity": "high",
    "vulnerable_version_range": ">= 2.0.0, < 2.0.2",
    "first_patched_version": {
      "identifier": "2.0.2"
    }
  },
  "url": "https://api.github.com/repos/octocat/hello-world/dependabot/alerts/2",
  "html_url": "https://github.com/octocat/hello-world/security/dependabot/2",
  "created_at": "2022-06-15T07:43:03Z",
  "updated_at": "2022-08-23T14:29:47Z",
  "dismissed_at": "2022-08-23T14:29:47Z",
  "dismissed_by": {
    "login": "octocat",
    "id": 1,
    "node_id": "MDQ6VXNlcjE=",
    "avatar_url": "https://github.com/images/error/octocat_happy.gif",
    "gravatar_id": "",
    "url": "https://api.github.com/users/octocat",
    "html_url": "https://github.com/octocat",
    "followers_url": "https://api.github.com/users/octocat/followers",
    "following_url": "https://api.github.com/users/octocat/following{/other_user}",
    "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
    "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
    "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
    "organizations_url": "https://api.github.com/users/octocat/orgs",
    "repos_url": "https://api.github.com/users/octocat/repos",
    "events_url": "https://api.github.com/users/octocat/events{/privacy}",
    "received_events_url": "https://api.github.com/users/octocat/received_events",
    "type": "User",
    "site_admin": false
  },
  "dismissed_reason": "tolerable_risk",
  "dismissed_comment": "This alert is accurate but we use a sanitizer.",
  "fixed_at": null
}