Safe auto-dismissals for Dependabot alerts (low impact npm devDependencies) [Public Beta] (#36600)

Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com>
Co-authored-by: Erin Havens <erinhav@github.com>
Co-authored-by: Sophie <29382425+sophietheking@users.noreply.github.com>
Co-authored-by: Steve Richert <laserlemon@github.com>

content/code-security/dependabot/dependabot-alerts/index.md

@@ -18,6 +18,7 @@ children:
   - /about-dependabot-alerts
   - /configuring-dependabot-alerts
   - /viewing-and-updating-dependabot-alerts
+  - /using-alert-rules-to-prioritize-dependabot-alerts
   - /configuring-notifications-for-dependabot-alerts
 ---
 

content/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts.md

@@ -0,0 +1,118 @@
+---
+title: Using alert rules to prioritize Dependabot alerts
+intro: 'You can use {% data variables.product.prodname_dependabot %} alert rules to filter out false positive alerts or alerts you''re not interested in.'
+permissions: 'People with write permissions to a private repository can enable or disable {% data variables.product.prodname_dependabot %} alert rules for the repository.'
+versions:
+  feature: dependabot-alert-rules-auto-dismissal-npm-dev-dependencies
+type: how_to
+topics:
+  - Dependabot
+  - Alerts
+  - Vulnerabilities
+  - Repositories
+  - Dependencies
+shortTitle: Alert rules
+---
+
+## About {% data variables.product.prodname_dependabot %} alert rules
+<!-- will need to review this procedural section for GHES -->
+
+{% data reusables.dependabot.github-curated-alert-rules-beta %}
+
+{% data variables.product.prodname_dependabot %} alert rules allow you to instruct {% data variables.product.prodname_dependabot %} to automatically dismiss or reopen certain alerts, based on complex logic from a variety of contextual criteria.
+
+When enabled, the built-in `Dismiss low impact alerts` rule auto-dismisses certain types of vulnerabilities that are found in npm dependencies used in development. These alerts cover cases that feel like false alarms to most developers as the associated vulnerabilities:
+- Are unlikely to be exploitable in a developer (non-production or runtime) environment.
+- May relate to resource management, programming and logic, and information disclosure issues.
+- At worst, have limited effects like slow builds or long-running tests.
+- Are not indicative of issues in production.
+
+This {% data variables.product.company_short %}-curated `Dismiss low impact alerts` rule includes vulnerabilities relating to resource management, programming and logic, and information disclosure issues. For more information, see "[Publicly disclosed CWEs used by the Dismiss low impact rule](#publicly-disclosed-cwes-used-by-the-dismiss-low-impact-rule)."
+
+Filtering out these low impact alerts allows you to focus on alerts that matter to you, without having to worry about missing potentially high-risk development-scoped alerts.
+
+{% note %}
+
+**Note:** Automatic dismissal of low impact development alerts is currently only supported for npm.
+
+{% endnote %}
+
+Whilst you may find it useful to auto-dismiss low impact alerts, you can still reopen auto-dismissed alerts, and filter to see which alerts have been auto-dismissed. For more information, see "[Managing automatically dismissed alerts](#managing-automatically-dismissed-alerts)."
+
+Additionally, auto-dismissed alerts are still available for reporting and reviewing, and can be re-introduced as not having been dismissed if the alert metadata changes, for example:
+- If you change the scope of a dependency from development to production.
+- If {% data variables.product.company_short %} modifies certain metadata for the related advisory.
+
+Auto-dismissed alerts are defined by the `resolution:auto-dismiss` close reason. Automatic dismissal activity is included in alert webhooks, REST and GraphQL APIs, and the audit log. For more information, see "[AUTOTITLE](/rest/dependabot/alerts)" in the REST API documentation, and the "`repository_vulnerability_alert` " section in "[Reviewing the audit log for your organization](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#repository_vulnerability_alert-category-actions)."
+
+By default, {% data variables.product.company_short %}-curated {% data variables.product.prodname_dependabot %} alert rules are enabled on public repositories and disabled for private repositories. Administrators of private repositories can opt in by enabling alert rules for their repository. For more information, see "[Enabling {% data variables.product.prodname_dependabot %} alert rules for your private repository](#enabling-dependabot-alert-rules-for-your-private-repository)."
+
+## Enabling {% data variables.product.prodname_dependabot %} alert rules for your private repository
+
+{% ifversion fpt or ghec %}You first need to enable {% data variables.product.prodname_dependabot_alerts %} for the repository. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts#managing-dependabot-alerts-for-your-repository)."{% elsif ghes %}{% data variables.product.prodname_dependabot_alerts %} for your repository can be enabled or disabled by your enterprise owner. For more information, see "[AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."{% endif %}
+
+{% ifversion fpt or ghec %}
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.repositories.navigate-to-code-security-and-analysis %}
+1. Under "{% data variables.product.prodname_dependabot_alerts %}", click **Dismiss low impact alerts**.
+   ![Screenshot of the "Code security and analysis" page for a repository. The "Dismiss low impact alerts" option is highlighted with an orange outline.](/assets/images/help/repository/enable-autodismissal-low-impact-dependabot-alerts.png)
+{% endif %}
+
+## Managing automatically dismissed alerts
+<!-- will need to review this procedural section for GHES -->
+
+You can filter to see which alerts have been auto-dismissed, and you can reopen dismissed alerts.
+
+{% note %}
+
+**Note:** The {% data variables.product.prodname_dependabot_alerts %} page defaults to showing open alerts. To filter and view auto-dismissed alerts, you must first clear the `is:open` default filter from the view.
+
+{% endnote %}
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-security %}
+1. To filter to see all closed alerts, click **{% octicon "check" aria-hidden="true" %} Closed**. Alternatively, use the `is:closed` filter query in the search bar.
+
+  ![Screenshot of the "Dependabot Alerts" page. A button, labelled "Closed" is highlighted with an orange outline.](/assets/images/help/repository/dependabot-alerts-closed-tab.png)
+
+1. To see all auto-dismissed alerts, select **Closed as**, then in the dropdown menu, click **Auto-dismissed**.
+
+   ![Screenshot of the "Dependabot Alerts" page. A button, labelled "Closed as" is highlighted with an orange outline.](/assets/images/help/repository/dependabot-alerts-closed-as.png)
+
+1. To reopen an auto-dismissed alert, to the left of the alert title, click the checkbox adjacent to the alert, then click **Reopen**.
+
+   ![Screenshot of an alert title on the "Dependabot Alerts" page. To the left of the alert, a checkbox is highlighted in an orange outline.](/assets/images/help/repository/dependabot-reopen-closed-alert.png)
+
+## Publicly disclosed CWEs used by the Dismiss low impact rule
+
+Along with the `ecosystem:npm` and `scope:development` alert metadata, we use the following {% data variables.product.company_short %}-curated Common Weakness Enumerations (CWEs) to filter out low impact alerts for the `Dismiss low impact alerts` rule. We regularly improve this list and vulnerability patterns covered by built-in rules.
+
+### Resource Management Issues
+- CWE-400 Uncontrolled Resource Consumption
+- CWE-770 Allocation of Resources Without Limits or Throttling
+- CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
+- CWE-908 Use of Uninitialized Resource
+- CWE-1333 Inefficient Regular Expression Complexity
+- CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
+- CWE-674 Uncontrolled Recursion
+- CWE-1119 Excessive Use of Unconditional Branching
+
+### Programming and Logic Errors
+- CWE-185 Incorrect Regular Expression
+- CWE-754 Improper Check for Unusual or Exceptional Conditions
+- CWE-755 Improper Handling of Exceptional Conditions
+- CWE-248 Uncaught Exception
+- CWE-252 Unchecked Return Value
+- CWE-391 Unchecked Error Condition
+- CWE-696 Incorrect Behavior Order
+- CWE-1254 Incorrect Comparison Logic Granularity
+- CWE-665 Improper Initialization
+- CWE-703 Improper Check or Handling of Exceptional Conditions
+- CWE-178 Improper Handling of Case Sensitivity
+
+### Information Disclosure Issues
+- CWE-544 Missing Standardized Error Handling Mechanism
+- CWE-377 Insecure Temporary File
+- CWE-451 User Interface (UI) Misrepresentation of Critical Information
+- CWE-668 Exposure of Resource to Wrong Sphere

content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md

@@ -46,8 +46,10 @@ You can also audit actions taken in response to {% data variables.product.prodna
 
 ## Prioritizing {% data variables.product.prodname_dependabot_alerts %}
 
-{% data variables.product.company_short %} helps you prioritize fixing {% data variables.product.prodname_dependabot_alerts %}. {% ifversion dependabot-most-important-sort-option %} By default, {% data variables.product.prodname_dependabot_alerts %} are sorted by importance. The "Most important" sort order helps you prioritize which {% data variables.product.prodname_dependabot_alerts %} to focus on first. Alerts are ranked based on their potential impact, actionability, and relevance. Our prioritization calculation is constantly being improved and includes factors like CVSS score, dependency scope, and whether vulnerable function calls are found for the alert.
+{% data variables.product.company_short %} helps you prioritize fixing {% data variables.product.prodname_dependabot_alerts %}. {% ifversion dependabot-most-important-sort-option %} By default, {% data variables.product.prodname_dependabot_alerts %} are sorted by importance. The "Most important" sort order helps you prioritize which {% data variables.product.prodname_dependabot_alerts %} to focus on first. Alerts are ranked based on their potential impact, actionability, and relevance. Our prioritization calculation is constantly being improved and includes factors like CVSS score, dependency scope, and whether vulnerable function calls are found for the alert.{% endif %}
 
+{% ifversion dependabot-alert-rules-auto-dismissal-npm-dev-dependencies %}
+You can also use alert rules to prioritize {% data variables.product.prodname_dependabot_alerts %}. For more information, see “[AUTOTITLE](/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts).”
 {% endif %}
 
 {% data reusables.dependabot.dependabot-alerts-filters %}

content/code-security/guides.md

@@ -92,6 +92,7 @@ includeGuides:
   - /code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors
   - /code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies
   - /code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts
+  - /code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts
   - /code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review
   - /code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph
   - /code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository

content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization.md

@@ -617,7 +617,9 @@ For more information, see "[AUTOTITLE](/organizations/managing-organization-sett
 ## `repository_vulnerability_alert` category actions
 
 | Action | Description
-|------------------|-------------------
+|------------------|-------------------{% ifversion dependabot-alert-rules-auto-dismissal-npm-dev-dependencies %}
+| `auto_dismiss` | Triggered when a {% data variables.product.prodname_dependabot %} alert is automatically dismissed due to its metadata matching an enabled {% data variables.product.prodname_dependabot %} alert rule. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts)."
+| `auto_reopen` | Triggered when a previously auto-dismissed {% data variables.product.prodname_dependabot %} alert is reopened because its metadata no longer matches an enabled {% data variables.product.prodname_dependabot %} alert rule. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts)."{% endif %}
 | `create` | Triggered when {% data variables.product.product_name %} creates a {% data variables.product.prodname_dependabot %} alert for a repository that uses a vulnerable dependency. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)."
 | `dismiss` | Triggered when an organization owner or person with admin{% ifversion dependabot-alerts-permissions-write-maintain %}, write, or maintain{% endif %} access to the repository dismisses a {% data variables.product.prodname_dependabot %} alert about a vulnerable dependency.
 | `resolve` | Triggered when someone with write {% ifversion dependabot-alerts-permissions-write-maintain %}or maintain{% endif %} access to a repository pushes changes to update and resolve a vulnerability in a project dependency.

data/features/dependabot-alert-rules-auto-dismissal-npm-dev-dependencies.yml

@@ -0,0 +1,6 @@
+# Reference: Issue #10052 - Safe auto-dismissals for Dependabot alerts (low impact npm devDependencies) [Public Beta]
+
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>3.9'

data/learning-tracks/code-security.yml

@@ -51,6 +51,8 @@ dependabot_alerts:
       endif %}
     - >-
       /code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts
+    - >-
+      /code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts
     - >-
       /code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts
     - >-

data/reusables/dependabot/github-curated-alert-rules-beta.md

@@ -0,0 +1,5 @@
+{% note %}
+
+**Note:** {% data variables.product.company_short %}-curated {% data variables.product.prodname_dependabot %} alert rules are currently in beta and are subject to change.
+
+{% endnote %}