GitHub sends Dependabot alerts when it detects that your repository uses a vulnerable dependency or malware.
For more information, see About Dependabot alerts if you don’t know about Dependabot yet.
GitHub announced that Dependabot alerts REST API is now available in public beta.
Endpoints
You must use an access token with the security_events
scope to use endpoints with private repositories. You can also use tokens with the public_repo
scope for public repositories only.
List Dependabot alerts for a repository
GitHub Apps must have Dependabot alerts read permission to use this endpoint.
curl
-H "Accept: application/vnd.github+json"
-H "Authorization: Bearer "
https://api.github.com/repos/OWNER/REPO/dependabot/alerts
Get a Dependabot alert
GitHub Apps must have Dependabot alerts read permission to use this endpoint.
curl
-H "Accept: application/vnd.github+json"
-H "Authorization: Bearer "
https://api.github.com/repos/OWNER/REPO/dependabot/alerts/ALERT_NUMBER
Update a Dependabot alert
GitHub Apps must have Dependabot alerts write permission to use this endpoint.
curl
-X PATCH
-H "Accept: application/vnd.github+json"
-H "Authorization: Bearer "
https://api.github.com/repos/OWNER/REPO/dependabot/alerts/ALERT_NUMBER
-d '{"state":"dismissed","dismissed_reason":"tolerable_risk","dismissed_comment":"This alert is accurate but we use a sanitizer."}'