| title | About Dependabot auto-triage rules | ||||||
|---|---|---|---|---|---|---|---|
| intro | {% data variables.dependabot.auto_triage_rules %} are a powerful tool to help you better manage your security alerts at scale. {% data variables.dependabot.github_presets %} are rules curated by {% data variables.product.company_short %} that you can use to filter out a substantial amount of false positives. {% data variables.dependabot.custom_rules_caps %} provide control over which alerts are ignored, snoozed, or trigger a {% data variables.product.prodname_dependabot %} security update to resolve the alert. | ||||||
| product | {% data reusables.gated-features.dependabot-auto-triage-rules %} | ||||||
| versions |
|
||||||
| topics |
|
||||||
| shortTitle | Dependabot auto-triage rules | ||||||
| redirect_from |
|
||||||
| contentType | concepts |
{% data variables.dependabot.auto_triage_rules %} allow you to instruct {% data variables.product.prodname_dependabot %} to automatically triage {% data variables.product.prodname_dependabot_alerts %}. You can use {% data variables.dependabot.auto_triage_rules_short %} to automatically dismiss or snooze certain alerts, or specify the alerts you want {% data variables.product.prodname_dependabot %} to open pull requests for. Rules are applied before alert notifications are sent, so enabling rules that auto-dismiss low-risk alerts will prevent notification noise from future matching alerts.
There are two types of {% data variables.dependabot.auto_triage_rules %}:
- {% data variables.dependabot.github_presets %}
- {% data variables.dependabot.custom_rules_caps %}
Note
{% data reusables.dependabot.dependabot-github-preset-auto-triage-rules %}
{% data variables.dependabot.github_presets %} are rules curated by {% data variables.product.company_short %}. {% data reusables.dependabot.dismiss-low-impact-rule %}
The rule is enabled by default for public repositories and can be opted into for private repositories. You can enable the rule for a private repository via the Settings tab for the repository. For more information, see Enabling the Dismiss low impact issues for development-scoped dependencies rule for your private repository.
Note
{% data reusables.gated-features.dependabot-custom-auto-triage-rules %}
With {% data variables.dependabot.custom_rules %}, you can create your own rules to automatically dismiss or reopen alerts based on targeted metadata, such as severity, package name, CWE, and more. You can also specify which alerts you want {% data variables.product.prodname_dependabot %} to open pull requests for. For more information, see AUTOTITLE.
You can create custom rules from the Settings tab of the repository, provided the repository belongs to an organization that has a license for {% data variables.product.prodname_GHAS_or_code_security %}. For more information, see Adding custom auto-triage rules to your repository.
Whilst you may find it useful to use auto-triage rules to auto-dismiss alerts, you can still reopen auto-dismissed alerts and filter to see which alerts have been auto-dismissed. For more information, see AUTOTITLE.
Additionally, auto-dismissed alerts are still available for reporting and reviewing, and can be auto-reopened if the alert metadata changes, for example:
- If you change the scope of a dependency from development to production.
- If {% data variables.product.company_short %} modifies certain metadata for the related advisory.
Auto-dismissed alerts are defined by the resolution:auto-dismiss close reason. Automatic dismissal activity is included in alert webhooks, REST and GraphQL APIs, and the audit log. For more information, see AUTOTITLE, and the "repository_vulnerability_alert" section in AUTOTITLE.