Skip to content

Repo sync #39039

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jun 24, 2025
Merged

Repo sync #39039

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1797489
Fix permissions icon collision with bulleted lists (#56251)
heiskr Jun 24, 2025
dc5346a
Document Dependabot metrics (#55730)
mchammer01 Jun 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions content/code-security/securing-your-organization/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ children:
- /enabling-security-features-in-your-organization
- /managing-the-security-of-your-organization
- /understanding-your-organizations-exposure-to-leaked-secrets
- /understanding-your-organizations-exposure-to-vulnerabilites
- /fixing-security-alerts-at-scale
- /troubleshooting-security-configurations
---
69 changes: 69 additions & 0 deletions ...ns-exposure-to-vulnerabilites/about-your-exposure-to-vulnerable-dependencies.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
---
title: About your exposure to vulnerable dependencies
shortTitle: Dependency vulnerability exposure
intro: 'Understanding your organization’s exposure to vulnerable dependencies is essential for identifying and prioritizing security risks. Leveraging {% data variables.product.prodname_dependabot %} metrics on {% data variables.product.github %} enables you to efficiently assess, prioritize, and remediate vulnerabilities, reducing the likelihood of security breaches.'
allowTitleToDifferFromFilename: true
product: '{% data reusables.gated-features.ghas-billing %}'
versions:
feature: dependabot-metrics
topics:
- Code Security
- Secret Protection
- Organizations
- Security
---

## About exposure to vulnerable dependencies

Assessing your exposure to vulnerable dependencies is crucial if you want to prevent:

* **Supply chain compromise**. Attackers can exploit vulnerabilities in open source or third-party dependencies to inject malicious code, elevate privileges, or gain unauthorized access to your systems. Compromised dependencies can serve as indirect entry points for malicious actors, leading to wide-reaching security incidents.

* **Widespread propagation of risk**. Vulnerable dependencies are often reused across multiple applications and services, meaning a single flaw can propagate throughout your organization, compounding the risk and impact of exploitation.

* **Unplanned downtime and operational disruption**. Exploitation of dependency vulnerabilities can result in application outages, degraded service quality, or cascading failures in critical systems, disrupting your business operations.

* **Regulatory and licensing issues**. Many regulations and industry standards require organizations to proactively address known vulnerabilities in their software supply chain. Failing to remediate vulnerable dependencies can result in non-compliance, audits, legal penalties, or breaches of open source license obligations.

* **Increased remediation costs**. The longer vulnerable dependencies remain unaddressed, the more difficult and expensive they become to fix, especially if they are deeply integrated or if incidents occur. Early detection and remediation reduce the risk of costly incident response, emergency patching, and reputational harm.

Regularly assessing your exposure to dependency vulnerabilities is good practice to help identify risks early, implement effective remediation strategies, and maintain resilient, trustworthy software.

{% data variables.product.prodname_dependabot %} automatically monitors your project’s dependencies for vulnerabilities and outdated packages. When it detects a security issue or a new version, it creates pull requests to update the affected dependencies, helping you quickly address security risks and keep your software up to date. This reduces manual effort and helps ensure your project remains secure. See [AUTOTITLE](/code-security/getting-started/dependabot-quickstart-guide).

{% data variables.product.github %} provides a comprehensive set of {% data variables.product.prodname_dependabot %} metrics to help you monitor, prioritize, and remediate these risks across all repositories in your organization. See [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-dependabot-alerts).

## Key tasks for AppSec managers

### 1. Monitor vulnerability metrics

Use the metrics overview for {% data variables.product.prodname_dependabot %} to gain visibility into the current state of your organization's dependency vulnerabilities. See [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-dependabot-alerts).

* **Alert prioritization:** Review the number of open {% data variables.product.prodname_dependabot_alerts %} and use filters such as CVSS severity, EPSS exploit likelihood, patch availability, and whether a vulnerable dependency is actually used in deployed artifacts. {% data reusables.security-overview.dependabot-filters-link %}
* **Repository-level breakdown:** Identify which repositories have the highest number of critical or exploitable vulnerabilities.
* **Remediation tracking:** Track the number and percentage of alerts fixed over time to measure the effectiveness of your vulnerability management program.

### 2. Prioritize remediation efforts

Focus on vulnerabilities that present the highest risk to your organization.

* Prioritize alerts with high or critical severity, high EPSS scores, and available patches.
* Use the repository breakdown to direct remediation efforts to the most at-risk projects.
* Encourage development teams to address vulnerabilities that are actually used in deployed artifacts through repository custom properties.

### 3. Communicate risk and progress

* Use the {% data variables.product.prodname_dependabot %} metrics page to communicate key risk factors and remediation progress to stakeholders.
* Provide regular updates on trends, such as the reduction in open critical vulnerabilities or improvements in remediation rates.
* Highlight repositories or teams that require additional support or attention.

### 4. Establish and enforce policies

* Set organization-wide policies to require dependency review and {% data variables.product.prodname_dependabot_alerts %} on all repositories. See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review) and [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts).
* Ensure that new repositories are automatically enrolled in dependency monitoring.
* Work with repository administrators to enable automated security updates where possible. See [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).

### 5. Assess the impact of {% data variables.product.prodname_dependabot_alerts %}

* Regularly review how {% data variables.product.prodname_dependabot_alerts %} are helping to block security vulnerabilities from entering your codebase.
* Use historical data to demonstrate the value of proactive dependency management.
15 changes: 15 additions & 0 deletions ...ganization/understanding-your-organizations-exposure-to-vulnerabilites/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
---
title: 'Understanding your organization''s exposure to vulnerabilities'
shortTitle: Exposure to vulnerabilities
intro: 'Understanding your organization’s exposure to vulnerable dependencies is crucial for identifying and prioritizing security risks. This awareness allows you to prioritize remediation efforts, reduce the likelihood of security breaches, protect sensitive data, and maintain the overall integrity and reputation of the organization.'
versions:
feature: dependabot-metrics
topics:
- Code Security
- Dependabot
- Organizations
- Security
children:
- /about-your-exposure-to-vulnerable-dependencies
- /prioritizing-dependabot-alerts-using-metrics
---
73 changes: 73 additions & 0 deletions ...ions-exposure-to-vulnerabilites/prioritizing-dependabot-alerts-using-metrics.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
---
title: Prioritizing Dependabot alerts using metrics
shortTitle: Prioritize Dependabot alerts using metrics
intro: 'You can prioritize {% data variables.product.prodname_dependabot_alerts %} in your organization by analyzing the provided metrics. Using this approach, you can tell your developers to focus on the most important vulnerabilities first.'
allowTitleToDifferFromFilename: true
permissions: '{% data reusables.permissions.security-org-enable %}'
versions:
feature: dependabot-metrics
topics:
- Code Security
- Dependabot
- Organizations
- Security
---

## Prioritizing {% data variables.product.prodname_dependabot_alerts %} using metrics

Application Security (AppSec) managers often face a flood of {% data variables.product.prodname_dependabot_alerts %}, making it challenging to determine which vulnerabilities to address first. {% data variables.product.prodname_dependabot %} metrics provide valuable insights that help prioritize alerts efficiently, ensuring that critical security issues are resolved promptly. Users can make informed decisions, focusing resources on the most impactful vulnerabilities. This approach strengthens the organization’s security posture and streamlines vulnerability management.

## Understanding {% data variables.product.prodname_dependabot %} metrics

{% data variables.product.prodname_dependabot %} metrics offer detailed information about vulnerabilities detected in your dependencies. Key metrics include:

* **Severity**: Indicates the potential impact of a vulnerability (e.g., low, medium, high, critical).
* **Exploitability**: Assesses how easily a vulnerability can be exploited.
* **Dependency relationship**: Differentiates between direct and transitive dependencies.
* **Dependency scope**: Differentiates between runtime and development dependencies. Determines if the vulnerable code is actually used in your application.
* **Alerts closed in the last 30 days, including the number of alerts fixed by {% data variables.product.prodname_dependabot %}, manually dismissed, and auto dismissed**: Tracks alert resolution progress. Illustrates how {% data variables.product.prodname_GH_code_security %} can help you detect vulnerabilities early.
* **Table showing the total number of open alerts for each repository, as well as severity and expoitability data**: Allows you to dig deeper at the repository level.

Additionally, you can specify complex filters, which are combinations of the individual filters that are available. For more information about filters, see [{% data variables.product.prodname_dependabot %} dashboard view filters](/code-security/security-overview/filtering-alerts-in-security-overview#dependabot-dashboard-view-filters).

## Steps to prioritize alerts

These first steps help you identify the {% data variables.product.prodname_dependabot_alerts %} that put your organization the most at risk, so that you can tell your developers which alerts to focus on for remediation.

### 1. Tailor the funnel order to suit your organization's needs

You can customize the default funnel order on the "Alert prioritization" graph to ensure it reflects the unique risk profile, business priorities, and compliance requirements of your organization. See [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-dependabot-alerts#configuring-funnel-categories).

### 2. Focus on critical and high severity alerts

Start by identifying alerts with the highest severity by using the the `severity-critical` or `severity-high` filters. These vulnerabilities pose the greatest risk and are often prioritized by compliance standards. You can then

### 3. Assess exploitability and reachability

Prioritize vulnerabilities that are the most likely to be exploited in your codebase. To identify alerts that are most likely to be exploited, you can use the `epss_percentage` filter associated to a value (for example `epss_percentage>=0.10`).

### 4. Review dependency scope and relationship

Direct dependencies are typically easier to update and may have a greater impact on your application’s security. We recommend addressing these before transitive dependencies when possible.
Filtering alerts using the `relationship:direct` filter allows us to see vulnerabilities on direct dependencies for supported ecosystems like npm.

Runtime dependencies are used by an application in production. Updating this sort of dependency can address security vulnerabilities, bug fixes, and performance improvements that affect your end users or systems directly. On the other hand, development dependencies are only used during development, testing, or build processes. While important, issues in these dependencies usually don’t impact your running application or its users.

You can use the `scope:runtime` or `scope:development` filters to only display alerts for runtime or development dependencies, respectively.

### 5. Consider the age of alerts

Older alerts may indicate long-standing risks. Regularly review and address aged alerts to prevent security debt from accumulating. For example, once you establish that a specific repository has more alerts that need prioritizing than other repositories, you can:
1. Click the repository name on the per-repository table to display the alerts for that repository only.
1. Use the "Older" filter in the **Sort** dropdown list, as well as other sorting criteria, to fine-tune the visualization to alerts meeting your criteria by age.

### 6. Leverage automation

Use {% data variables.product.prodname_dependabot %}’s automated pull requests to quickly remediate vulnerabilities. Integrate these updates into your CI/CD pipeline for faster resolution and improved efficiency.

## Best practices

* **Establish Service Level Agreements (SLAs)** for resolving vulnerabilities based on severity.
* **Monitor metrics regularly** to identify trends and recurring issues.
* **Collaborate with developers** to ensure timely updates and minimize disruption.
* **Document decisions** to provide transparency and support future prioritization.
16 changes: 14 additions & 2 deletions content/code-security/security-overview/filtering-alerts-in-security-overview.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ You can also filter the "Overview" view by properties of alerts.

{% endif %}

## {% data variables.product.prodname_dependabot %} alert view filters
### {% data variables.product.prodname_dependabot %} alert view filters

You can filter the view to show {% data variables.product.prodname_dependabot_alerts %} that are ready to fix or where additional information about exposure is available. You can click any result to see full details of the alert.

Expand All @@ -176,7 +176,19 @@ You can filter the view to show {% data variables.product.prodname_dependabot_al
|`scope`|Display {% data variables.product.prodname_dependabot_alerts %} from the development dependency (`development`) or from the runtime dependency (`runtime`).|
|`sort`| Groups {% data variables.product.prodname_dependabot_alerts %} by the manifest file path the alerts point to (`manifest-path`) or by the name of the package where the alert was detected (`package-name`). Alternatively, displays alerts from most important to least important, as determined by CVSS score, vulnerability impact, relevancy, and actionability (`most-important`), from newest to oldest (`newest`), from oldest to newest (`oldest`), or from most to least severe (`severity`).

## {% data variables.product.prodname_code_scanning_caps %} alert view filters
{% ifversion dependabot-metrics %}

### {% data variables.product.prodname_dependabot %} dashboard filters

You can filter the "{% data variables.product.prodname_dependabot %} dashboard" view using these filters.

{% data reusables.security-overview.filter-dependabot-metrics %}

Alternatively, you can use complex filters by clicking **{% octicon "filter" aria-hidden="true" aria-label="filter" %} Filter** and build custom filters to suit your needs.

{% endif %}

### {% data variables.product.prodname_code_scanning_caps %} alert view filters

All {% data variables.product.prodname_code_scanning %} alerts have one of the categories shown below. You can click any result to see full details of the relevant query and the line of code that triggered the alert.

Expand Down
1 change: 1 addition & 0 deletions content/code-security/security-overview/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ children:
- /filtering-alerts-in-security-overview
- /enabling-security-features-for-multiple-repositories
- /exporting-data-from-security-overview
- /viewing-metrics-for-dependabot-alerts
- /viewing-metrics-for-secret-scanning-push-protection
- /viewing-metrics-for-pull-request-alerts
- /reviewing-requests-to-bypass-push-protection
Expand Down
Loading
Loading