Note: Dependabot auto-triage rules are currently in beta and are subject to change.
About Dependabot auto-triage rules
Dependabot auto-triage rules allow you to instruct Dependabot to automatically triage Dependabot alerts. You can use auto-triage rules to automatically dismiss or snooze certain alerts, or specify the alerts you want Dependabot to open pull requests for.
There are two types of Dependabot auto-triage rules:
- GitHub-curated default rules
- Custom auto-triage rules
The GitHub-curated default rule, Dismiss low impact issues for development-scoped dependencies
, auto-dismisses certain types of vulnerabilities that are found in npm dependencies used in development. The rule has been curated to reduce false positives and reduce alert fatigue. The rule is enabled by default for public repositories and can be opted into for private repositories. However, you cannot modify GitHub-curated default rules. For more information, see "Using GitHub-curated default rules to prioritize Dependabot alerts."
With custom auto-triage rules, you can create your own rules to automatically dismiss or reopen alerts based on targeted metadata, such as severity, package name, CWE, and more. You can also specify which alerts you want Dependabot to open pull requests for. For more information, see "Customizing auto-triage rules to prioritize Dependabot alerts."
Whilst you may find it useful to auto-dismiss alerts, you can still reopen auto-dismissed alerts and filter to see which alerts have been auto-dismissed. For more information, see "Managing alerts that have been automatically dismissed by a Dependabot auto-triage rule."
Additionally, auto-dismissed alerts are still available for reporting and reviewing, and can be auto-reopened if the alert metadata changes, for example:
- If you change the scope of a dependency from development to production.
- If GitHub modifies certain metadata for the related advisory.
Auto-dismissed alerts are defined by the resolution:auto-dismiss
close reason. Automatic dismissal activity is included in alert webhooks, REST and GraphQL APIs, and the audit log. For more information, see "Dependabot alerts" in the REST API documentation, and the "repository_vulnerability_alert
" section in "审查组织的审核日志."