The Wayback Machine - https://web.archive.org/web/20231026205300/https://docs.github.com/en/code-security/dependabot/dependabot-alert-rules/about-dependabot-alert-rules

About Dependabot alert rules

In this article

Auto-triage rules are a powerful tool to help you better manage your security alerts at scale. Dependabot's default rulesets are curated for you and filter out a substantial amount of false positives. Custom auto-triage rules provide control over which alerts are ignored, snoozed, or trigger a Dependabot security update to resolve the alert.

Who can use this feature

People with write permissions can view Dependabot alert rules for the repository. People with admin permissions to a repository can enable or disable Dependabot alert rules for the repository, as well as create custom alert rules. Additionally, organization owners and security managers can set alert rules at the organization-level and optionally choose to enforce rules for repositories in the organization.

Note: Dependabot alert rules are currently in beta and are subject to change.

About Dependabot alert rules

Dependabot alert rules allow you to instruct Dependabot to automatically triage Dependabot alerts. You can use alert rules to auto-dismiss or snooze certain alerts, or specify the alerts you want Dependabot to open pull requests for.

There are two types of Dependabot alert rules:

  • A GitHub-curated rule, called Dismiss low impact alerts
  • User-created custom rules

The GitHub-curated rule, Dismiss low impact alerts, auto-dismisses certain types of vulnerabilities that are found in npm dependencies used in development. The rule has been curated to reduce false positives and reduce alert fatigue. The rule is enabled by default for public repositories and can be opted into for private repositories. However, you cannot modify GitHub-curated rules. For more information, see "Using GitHub-curated alert rules to prioritize Dependabot alerts."

With user-created custom rules, you can create your own rules to automatically dismiss or reopen alerts based on your own criteria, such as severity, package name, CWE, and more. For more information, see "Customizing alert rules to prioritize Dependabot alerts."

Whilst you may find it useful to auto-dismiss alerts, you can still reopen auto-dismissed alerts and filter to see which alerts have been auto-dismissed. For more information, see "Managing alerts that have been automatically dismissed by an alert rule."

Additionally, auto-dismissed alerts are still available for reporting and reviewing, and can be auto-reopened if the alert metadata changes, for example:

  • If you change the scope of a dependency from development to production.
  • If GitHub modifies certain metadata for the related advisory.

Auto-dismissed alerts are defined by the resolution:auto-dismiss close reason. Automatic dismissal activity is included in alert webhooks, REST and GraphQL APIs, and the audit log. For more information, see "Dependabot alerts" in the REST API documentation, and the "repository_vulnerability_alert" section in "Reviewing the audit log for your organization."

Further reading