Security overview - Security Managers

[samigt]

Hi,

It will be great if the security managers can close & delete alerts in bulk, based on different criteria such as

• Alert name
• Repo topic
• Severity
  ..?

Thanks,
Sami

[jenschelkopf]

Hi @samigt, I'm part of the team responsible for the security manager role. Helping security managers to remediate alerts in bulk is something we very much want to do, and it's great to get this validation that you would find it helpful. Thanks for the feedback, and keep it coming as you find other things that would make your job easier!

[kellyarwine]

👋 Hi, @samigt. Thanks again for the feedback. I'm the product manager for the Security Manager role and I'm interested in understanding more about your security manager needs as we we work to improve that functionality. If you have 30 minutes, I'd be open to chatting. You can set up time with me here.

[samigt]

Sounds great, I will book a slot.

[sduquette-devolutions]

Being able to close alerts on the dependabot overview (/orgs//security/alerts/dependabot) like its possible to do from the individual project pages would be a big QoL improvement for us.

[kellyarwine]

Thanks for the note @sduquette-devolutions. We've noted your feedback in our roadmap tracker. Keep the feedback coming.

[henriquevcosta]

Hi, we have a microservices ecosystem with a shared BOM where one vulnerability actually triggers many dependabot alerts. That's all fine when it's a correct vulnerability, as each service will need to upgrade and get deployed individually, but when it's a false positive that means that we need to close a few hundred alerts. There's a nice overview page at https://github.com/advisories/GHSA-/dependabot but from our experience:

1. It doesn't allow bulk closing alerts
2. The equivalent listing functionality doesn't exist in the REST API, so even if we wanted to implement a tool that would go and close the alerts via the API we wouldn't be able to.

Is there something coming in this space in the near future?

[kellyarwine]

Hi, @henriquevcosta.

First off, I'm really sorry for missing your question. Thanks for your patience.

I totally understand how managing a large number of Dependabot alerts, especially in a microservices setup can be quite a task.

You're right about the current limitations of our overview page and the REST API in terms of bulk closing alerts. I appreciate your feedback on this and have noted it in my customer feedback tracker.

Now, for some good news! Just as I was preparing to respond to your query, we released a new feature that might be a game-changer for your situation: Dependabot auto-triage rules now support CVE IDs and GHSA IDs. This feature allows for a more streamlined management of alerts, especially in scenarios like yours.

Regarding your original question about the API, while it's true that our current API doesn't support bulk closing of alerts directly, there is a workaround. You can retrieve all alerts, filter them based on the advisory you're interested in, and then close each relevant alert using its ID. It's not as straightforward as we'd like, but it's a start.

We're constantly working to improve Dependabot and make it more user-friendly, especially for complex ecosystems. Your feedback is invaluable in this process, and I'll make sure your feedback is considered.