About Dependabot 자동 심사 규칙
Dependabot 자동 심사 규칙 allow you to instruct Dependabot to automatically triage Dependabot alerts and Dependabot malware alerts. You can use 자동 심사 규칙 to:
- Automatically dismiss or snooze certain alerts
- Specify the Dependabot alerts you want Dependabot to open pull requests for
Rules are applied before alert notifications are sent, so enabling rules that auto-dismiss low-risk alerts will help reduce notification noise.
There are two types of Dependabot 자동 심사 규칙:
- GitHub 사전 설정
- 사용자 지정 자동 심사 규칙
About GitHub 사전 설정
GitHub 사전 설정 are rules curated by GitHub that are available for all repositories.
Dismiss low impact issues for development-scoped dependencies
Dismiss low impact issues for development-scoped dependencies 규칙은 GitHub 사전 설정으로, 개발에 사용된 npm 종속성에서 발견된 특정 유형의 약점을 자동 해제합니다. These alerts cover cases that feel like false alarms to most developers as the associated vulnerabilities:
- Are unlikely to be exploitable in a developer (non-production or runtime) environment.
- May relate to resource management, programming and logic, and information disclosure issues.
- At worst, have limited effects like slow builds or long-running tests.
- Are not indicative of issues in production.
The rule is enabled by default for public repositories and can be opted into for private repositories. For instructions, see Enabling the Dismiss low impact issues for development-scoped dependencies rule for your private repository.
For more information about the criteria used by the rule, see GitHub의 미리 설정된 Dependabot 규칙에서 사용하는 CWE.
Dismiss package malware alerts
The Dismiss package malware alerts rule is a GitHub preset that auto-dismisses alerts that flag all versions of a package as malicious. If your project depends on an internal package with the same ecosystem and name as a malicious public package, Dependabot can generate a false positive alert, which the rule then auto-dismisses.
중요
Be aware that if a contributor adds a dependency that is truly malicious across all versions, this rule will auto-dismiss the related alert.
The Dismiss package malware alerts rule is disabled by default, but can be enabled for any repository using Dependabot malware alerts.
About 사용자 지정 자동 심사 규칙
참고
사용자 지정 자동 심사 규칙용 Dependabot alerts는 GitHub Team가 활성화된 상태로 퍼블릭 리포지토리와 GitHub Enterprise 또는 GitHub Code Security에서 조직 소유의 모든 리포지토리에서 사용할 수 있습니다.
With 사용자 지정 자동 심사 규칙, you can create your own rules to automatically dismiss or reopen alerts based on targeted metadata, such as severity, package name, CWE, and more. You can also specify which Dependabot alerts you want Dependabot to open pull requests for. For more information, see Customizing auto-triage rules to prioritize Dependabot alerts.
You can create custom rules from the Settings tab of the repository, provided the repository belongs to an organization that has a license for GitHub Code Security or GitHub Advanced Security. For more information, see Adding custom auto-triage rules to your repository.
About auto-dismissing alerts
Whilst you may find it useful to use auto-triage rules to auto-dismiss alerts, you can still reopen auto-dismissed alerts and filter to see which alerts have been auto-dismissed. For more information, see Dependabot 자동 심사 규칙에 의해 자동으로 해제된 경고 관리.
Additionally, auto-dismissed alerts are still available for reporting and reviewing, and can be auto-reopened if the alert metadata changes, for example:
- If you change the scope of a dependency from development to production.
- If GitHub modifies certain metadata for the related advisory.
Auto-dismissed alerts are defined by the resolution:auto-dismiss close reason. Automatic dismissal activity is included in alert webhooks, REST and GraphQL APIs, and the audit log. For more information, see Dependabot alerts에 대한 REST API 엔드포인트, and the "repository_vulnerability_alert" section in 조직의 감사 로그 검토.
Next steps
To get started with Dependabot 자동 심사 규칙, see Using GitHub preset rules to prioritize Dependabot alerts.
To customize your auto-triage experience, see Customizing auto-triage rules to prioritize Dependabot alerts.