Prioritizing Dependabot alerts using production context

You can focus remediation on real risk by prioritizing Dependabot alerts for artifacts actually present in production, using metadata from external registries like JFrog Artifactory or your own CI/CD workflows.

¿Quién puede utilizar esta característica?

Dependabot alerts está disponible para los repositorios siguientes:

  • Repositorios propiedad de la organización y propiedad del usuario

En este artículo

Nota:

Production context is in versión preliminar pública and subject to change.

Prioritizing Dependabot alerts using production context

Application Security (AppSec) managers are often overwhelmed by a high volume of Dependabot alerts, many of which may not represent real risk because the affected code never makes it to production. By associating production context with your alerts, you can filter and prioritize vulnerabilities that impact artifacts actually approved for production environments. This enables your team to focus remediation efforts on the vulnerabilities that matter most, reducing noise and improving your security posture.

Associating production context with Dependabot alerts

GitHub enables production context for your Dependabot alerts by providing a Storage Record API. This API allows package registries or GitOps workflows to send artifact lifecycle data to GitHub. The API should be called whenever an artifact is promoted to a production-approved package repository.

GitHub processes this metadata and uses it to power new alert filters, such as artifact-registry-url and artifact-registry. For more information, see Create artifact metadata storage record in the REST API documentation.

Steps to prioritize alerts

Follow these steps to enable and use production context for alert prioritization:

Step 1: Detect and report production artifact promotions

In your CI/CD or GitOps workflow, whenever an artifact is promoted to a production-approved package repository, call the Storage Record API to to send the artifact's metadata to GitHub. This includes information such as the artifact's registry, repository, and version. See Artifact metadata.

If you use JFrog Artifactory, you do not need to perform any custom integration. Artifactory natively integrates with the Storage Record API. You only need to enable the integration in your Artifactory settings, and Artifactory will automatically emit production promotion events to GitHub.

The artifact-registry:jfrog-artifactory filter will work out of the box with no further setup in GitHub. For setup instructions, see JFrog and GitHub Integration: JFrog for [GitHub Dependabot] in the JFrog documentation.

Step 2: Use production context filters

Puedes ver todas las Dependabot alerts abiertas y cerradas y las Dependabot security updates correspondientes en la pestaña Dependabot alerts del repositorio.. For information about accessing this tab, see Viewing Dependabot alerts.

Once the alert list is displayed, use the artifact-registry-url or artifact-registry filters to focus on vulnerabilities affecting artifacts present in production. For example:

artifact-registry-url:my-registry.example.com
artifact-registry:jfrog-artifactory

You can also combine these with other filters, such as EPSS.

epss > 0.5 AND artifact-registry-url:my-registry.example.com

Further reading