Open paulfairless opened 8 months ago
spencerschrock
commented
8 months ago the setting can be checked via the api https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#check-if-vulnerability-alerts-are-enabled-for-a-repository
Unfortunately this requires an admin token:
The authenticated user must have admin read access to the repository.
We also award credit if dependabot configuration files are detected.
pnacht
commented
8 months ago And on the particular issue of "PR overload", are you aware that Dependabot can now do grouped PRs? That is, instead of 1 PR per dependency, you can configure it to send a single monthly PR that updates all dependencies at once (or split into logical groups, etc).
paulfairless
commented
8 months ago Understood. In my use case I'm working with private repositories in an GH Enterprise. Are admin tokens considered off-limits in this scenario, i can understand this is more sensitive in a public repo.
spencerschrock
commented
8 months ago Are admin tokens considered off-limits in this scenario, i can understand this is more sensitive in a public repo.
It's just in a weird spot right now, as Scorecard is used by two main groups, and the admin stuff can only be queried by the first:
Scorecard has the Webhooks check which hasn't been taken out of experimental yet, which requires an admin token. And some settings for Branch-Protection require an admin token. And presumably there are other of these self-run checks that have been requested which would require an admin token.
Some of the maintainers have had a few comments on this problem recently, although nothing of a full pledged plan yet.
spencerschrock
commented
8 months ago I'd like to check if Dependabot alerts are configured for a repo and score it appropriately, the setting can be checked via the api https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#check-if-vulnerability-alerts-are-enabled-for-a-repository
We tend to do things via graphQL, so I did just check and we may also be able to use hasVulnerabilityAlertsEnabled of the repo object.
Which interestingly, seems to be working for me without an admin token...
github-actions[bot]
commented
6 months ago This issue has been marked stale because it has been open for 60 days with no activity.
Is your feature request related to a problem? Please describe. We have repos with Dependabot alerts active (but not Dependabot security updates). These fail the Dependency update check with a score of 0. We often don't use the automated PR's due to issues with dependency chains and PR overload. We use GHAS to triage and manage manually.
Describe the solution you'd like I'd like to check if Dependabot alerts are configured for a repo and score it appropriately, the setting can be checked via the api https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#check-if-vulnerability-alerts-are-enabled-for-a-repository
Unsure if it should score the same as the Dependabot security updates setting, but 0 feels too harsh for what we'd like.
Additional context FYI vulnerability alerts also enable The dependency graph feature which enables github to generate SBOM files, i know there is a ticket for SBOM.