Open sandeshRazorpay opened 3 years ago
Are there any API-based queries that might be able to generate a simple count of suggested and executed dependabot PRs?
Not sure if this is still relevant, but this will help for someone who is still looking for API. I found this answer on stackoverflow. https://stackoverflow.com/questions/66356337/how-to-get-the-list-of-dependabot-alerts-via-github-api
Thanks to @bertrandmartel :D
Dependabot is awesome !!!
It is crucial to have a dashboard that provides an org level overview with answers to the following questions:
Thanks
I've been looking for something like this since dependabot lost its badges (#1912 and #1960) which is what we used to use for this. The REST API @sitraj mentioned is great for security issues, but not for all other pull requests.
I'm hoping that something like #4680 gets executed so I can build a dashboard off of that...
This is how I created a dashboard for Dependabot alerts: https://badshah.io/important-dependabot-feature/
Sample code: https://github.com/Chan9390/Dependabot-Dashboard
It would be great if Dependabot rolls out a native dashboard feature!
Tracking open, fixed and dismissed vulns slicing by date, topic, vulnerability (dev/runtime) would be awesome
To clarify, is this feature request about "open Dependabot PR's" or "open Dependabot security alerts"??
PR's can be generated from security alerts, but can also of course be configured for general version updates.
IMO any dashboard would help track both Dependabot PRs and security alerts.
👋 are you GitHub Enterprise users? I think what you're looking for currently exists with the Security Overview. It aggregates alerts at the org-level and enterprise-level, and we're also starting to beta roll-up metrics. That's in private beta but happy to add you if you'd like.
Thanks @erinhav.
I'm going to close as this has effectively been shipped/resolved, although it's part of one of our paid products so not available to all orgs. I expect over time we'll continue to invest in improving that... for example the beta mentioned above.
@jeffwidman @erinhav Is there another feature request for something focused on a dashboard providing org-wide visibility to Dependabot updates and configs? I'm thinking something like the original Dependabot had, where you could see all your projects in one place, see their configs, see results of update runs, open dependabot prs, schedules, trigger updates, etc. Even test out new dependabot configs to check validity and propose a pr with the change (I'd highly suggest checking out the Mergify config-validator for something close to best-in-class). Right now, that doesn't really exist at all. Closest is the ability to trigger an update, but it's all spread across every repo, under the {repo}/network/updates
path.
That is a reasonable request. I'm not convinced this issue tracker is the best place to track that, but I'm also not sure where to redirect you towards so for now I'll reopen so we don't lose track...
This new API is tangentially related to this issue:
Although it doesn't directly address this issue, but nevertheless I suspect it's still useful to some of the folks subscribed to this issue.
👋 Hello! Product Manager for Dependabot here. I’m currently doing research into adding/improving configuration for security updates, and am looking for user input. This issue is similar to things I’m thinking about, so if you’re subscribed to this and you’re open to a short conversation with me, please feel free to select a time in my calendar that fits your schedule here: https://calendar.app.google/7RSxjJJo9FdvRHNz7
Hello, Product Manager for Dependabot!
I'd like the same dashboard as what RenovateBot has! :)
Currently Dependabot has quite a bit of "hidden state" in my opinion, which is undesirable.
Oh, there is a repo-wide dashboard here: https://github.com/[org]/[repo]/network/updates
Never mind then! A link or two to it would make it more discoverable though...
Hi,
I know Dependabot currently provides an option to see open Security Advisories for a particular GitHub repository. I also know it's possible to group them per ecosystem (for example Ruby bundler, javascript, etc.)
For us however, it would be super beneficial to group open Security Advisories per teams within Github.
For context - we are currently looking into improving our Operational Excellence and want to have a generic dashboard within DataDog, that includes open security vulnerabilities. We want to have those operational excellence dashboards per team, with their own business metrics but also having some generic bits all teams should have - like open Security Advisories being one of them.
Having a link for example like this, that we could put into our DataDog dashboard:
https://github.com/[organisation]/[team]/security/dependabot
with a list of open Dependabot issues grouped per team in Github, would be greatly beneficial!
Is there an easy way for the security team in an organization to look at all dependabot results in one place?
From a vulnerability management perspective, it would be helpful to have a list of all open critical issues across the org, as opposed to going through each repo.
In the absence of such a feature, does anyone have a workaround? Has anyone found a way to import all Dependabot findings into a vuln mgmt platform such as Defect Dojo?