зеркало из https://github.com/github/docs.git
Tidy-up feature-based versioning used for Dependabot auto-triage rules (#45171)
This commit is contained in:
mc
GitHub
Родитель
738263414c
Коммит
eda3f6e5da
|
|
@ -1,9 +1,9 @@
|
|||
---
|
||||
title: About Dependabot alert rules
|
||||
intro: 'Auto-triage rules are a powerful tool to help you better manage your security alerts at scale. {% data variables.product.prodname_dependabot %}''s default rulesets are curated for you and filter out a substantial amount of false positives. Custom auto-triage rules provide control over which alerts are ignored, snoozed, or trigger a {% data variables.product.prodname_dependabot %} security update to resolve the alert.'
|
||||
permissions: 'People with write permissions can view {% data variables.product.prodname_dependabot %} alert rules for the repository. People with admin permissions to a repository can enable or disable {% data variables.product.prodname_dependabot %} alert rules for the repository{% ifversion dependabot-alert-custom-rules-repo-level %}, as well as create custom alert rules{% endif %}.{% ifversion dependabot-alerts-custom-rules-updates %} Additionally, organization owners and security managers can set alert rules at the organization-level and optionally choose to enforce rules for repositories in the organization.{% endif %}'
|
||||
permissions: 'People with write permissions can view {% data variables.product.prodname_dependabot %} alert rules for the repository. People with admin permissions to a repository can enable or disable {% data variables.product.prodname_dependabot %} alert rules for the repository, as well as create custom alert rules. Additionally, organization owners and security managers can set alert rules at the organization-level and optionally choose to enforce rules for repositories in the organization.'
|
||||
versions:
|
||||
feature: dependabot-alert-rules-auto-dismissal-npm-dev-dependencies
|
||||
feature: dependabot-auto-triage-rules
|
||||
type: overview
|
||||
topics:
|
||||
- Dependabot
|
||||
|
|
@ -20,9 +20,8 @@ redirect_from:
|
|||
|
||||
## About {% data variables.product.prodname_dependabot %} alert rules
|
||||
|
||||
{% data variables.product.prodname_dependabot %} alert rules allow you to instruct {% data variables.product.prodname_dependabot %} to automatically triage {% data variables.product.prodname_dependabot_alerts %}. You can use alert rules to auto-dismiss or snooze certain alerts{% ifversion dependabot-alerts-custom-rules-updates %}, or specify the alerts you want {% data variables.product.prodname_dependabot %} to open pull requests for{% endif %}.
|
||||
{% data variables.product.prodname_dependabot %} alert rules allow you to instruct {% data variables.product.prodname_dependabot %} to automatically triage {% data variables.product.prodname_dependabot_alerts %}. You can use alert rules to auto-dismiss or snooze certain alerts, or specify the alerts you want {% data variables.product.prodname_dependabot %} to open pull requests for.
|
||||
|
||||
{% ifversion dependabot-alert-custom-rules-repo-level %}
|
||||
There are two types of {% data variables.product.prodname_dependabot %} alert rules:
|
||||
|
||||
- A {% data variables.product.company_short %}-curated rule, called `Dismiss low impact alerts`
|
||||
|
|
@ -30,7 +29,7 @@ There are two types of {% data variables.product.prodname_dependabot %} alert ru
|
|||
|
||||
The {% data variables.product.company_short %}-curated rule, `Dismiss low impact alerts`, auto-dismisses certain types of vulnerabilities that are found in npm dependencies used in development. The rule has been curated to reduce false positives and reduce alert fatigue. The rule is enabled by default for public repositories and can be opted into for private repositories. However, you cannot modify {% data variables.product.company_short %}-curated rules. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alert-rules/using-github-curated-alert-rules-to-prioritize-dependabot-alerts)."
|
||||
|
||||
With user-created custom rules, you can create your own rules to automatically dismiss or reopen alerts based on your own criteria, such as severity, package name, CWE, and more. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alert-rules/customizing-alert-rules-to-prioritize-dependabot-alerts)."{% endif %}
|
||||
With user-created custom rules, you can create your own rules to automatically dismiss or reopen alerts based on your own criteria, such as severity, package name, CWE, and more. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alert-rules/customizing-alert-rules-to-prioritize-dependabot-alerts)."
|
||||
|
||||
Whilst you may find it useful to auto-dismiss alerts, you can still reopen auto-dismissed alerts and filter to see which alerts have been auto-dismissed. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alert-rules/managing-automatically-dismissed-alerts)."
|
||||
|
||||
|
|
|
|||
|
|
@ -1,10 +1,10 @@
|
|||
---
|
||||
title: Customizing alert rules to prioritize Dependabot alerts
|
||||
intro: 'You can create your own user-defined rules to auto-triage alerts.'
|
||||
permissions: 'People with write permissions can view {% data variables.product.prodname_dependabot %} alert rules for the repository. People with admin permissions to a repository can enable or disable {% data variables.product.prodname_dependabot %} alert rules for the repository{% ifversion dependabot-alert-custom-rules-repo-level %}, as well as create custom alert rules{% endif %}.{% ifversion dependabot-alerts-custom-rules-updates %} Additionally, organization owners and security managers can set alert rules at the organization-level and optionally choose to enforce rules for repositories in the organization.{% endif %}'
|
||||
permissions: 'People with write permissions can view {% data variables.product.prodname_dependabot %} alert rules for the repository. People with admin permissions to a repository can enable or disable {% data variables.product.prodname_dependabot %} alert rules for the repository, as well as create custom alert rules. Additionally, organization owners and security managers can set alert rules at the organization-level and optionally choose to enforce rules for repositories in the organization.'
|
||||
product: '{% data reusables.gated-features.dependabot-alert-rules %}'
|
||||
versions:
|
||||
feature: dependabot-alert-rules-auto-dismissal-npm-dev-dependencies
|
||||
feature: dependabot-auto-triage-rules
|
||||
type: how_to
|
||||
topics:
|
||||
- Dependabot
|
||||
|
|
@ -19,7 +19,7 @@ shortTitle: Custom alert rules
|
|||
|
||||
## About custom alert rules
|
||||
|
||||
You can create your own {% data variables.product.prodname_dependabot %} alert rules based on alert metadata. You can choose to auto-dismiss alerts indefinitely, or snooze alerts until a patch becomes available{% ifversion dependabot-alerts-custom-rules-updates %}, and you can specify which alerts you want {% data variables.product.prodname_dependabot %} to open pull requests for{% endif %}.
|
||||
You can create your own {% data variables.product.prodname_dependabot %} alert rules based on alert metadata. You can choose to auto-dismiss alerts indefinitely, or snooze alerts until a patch becomes available, and you can specify which alerts you want {% data variables.product.prodname_dependabot %} to open pull requests for.
|
||||
|
||||
Since any rules that you create apply to both future and current alerts, you can also use alert rules to manage your {% data variables.product.prodname_dependabot_alerts %} in bulk.
|
||||
|
||||
|
|
@ -35,8 +35,6 @@ You can create rules using the following criteria:
|
|||
|
||||
Repository administrators can create alert rules for their {% ifversion fpt %}public{% elsif ghec or ghes %}public, private, and internal{% endif %} repositories.
|
||||
|
||||
{% ifversion dependabot-alerts-custom-rules-updates %}
|
||||
|
||||
Organization owners and security managers can set alert rules at the organization-level, and then choose if a rule is enforced or enabled across all public {% ifversion ghec %}and private {% endif %} repositories in the organization.
|
||||
|
||||
- **Enforced**: If an organization-level alert rule is "enforced", repository administrators cannot edit, disable, or delete the rule.
|
||||
|
|
@ -56,8 +54,6 @@ When {% data variables.product.prodname_dependabot_security_updates %} are enabl
|
|||
|
||||
For more information about enabling or disabling {% data variables.product.prodname_dependabot_security_updates %} for a repository, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Adding a custom alert rule to your repository
|
||||
|
||||
{% note %}
|
||||
|
|
@ -75,12 +71,10 @@ For more information about enabling or disabling {% data variables.product.prodn
|
|||
1. Under "State", use the dropdown menu to select whether the rule should be enabled or disabled for the repository.
|
||||
{% data reusables.dependabot.target-alerts-metadata %}
|
||||
1. Under "Rules", select the action you want to take on alerts that match the metadata:
|
||||
- Select **Dismiss alerts** to auto-dismiss alerts that match the metadata. You can choose to dismiss alerts indefinitely or until a patch is available.{% ifversion dependabot-alerts-custom-rules-updates %}
|
||||
- Select **Open a pull request to resolve this alert** if you want {% data variables.product.prodname_dependabot %} to suggest changes to resolve alerts that match the targeted metadata. Note that this option is unavailable if you have already selected the option to dismiss alerts indefinitely, or if {% data variables.product.prodname_dependabot_security_updates %} are enabled in your repository settings.{% endif %}
|
||||
- Select **Dismiss alerts** to auto-dismiss alerts that match the metadata. You can choose to dismiss alerts indefinitely or until a patch is available.
|
||||
- Select **Open a pull request to resolve this alert** if you want {% data variables.product.prodname_dependabot %} to suggest changes to resolve alerts that match the targeted metadata. Note that this option is unavailable if you have already selected the option to dismiss alerts indefinitely, or if {% data variables.product.prodname_dependabot_security_updates %} are enabled in your repository settings.
|
||||
{% data reusables.dependabot.dependabot-alert-rules-click-create-rule %}
|
||||
|
||||
{% ifversion dependabot-alerts-custom-rules-updates %}
|
||||
|
||||
## Adding a custom alert rule to your organization
|
||||
|
||||
{% note %}
|
||||
|
|
@ -101,8 +95,8 @@ For more information about enabling or disabling {% data variables.product.prodn
|
|||
- Alternatively, you can choose to set the rule as **Disabled**, which cannot be overridden at the repository level. Disabled rules are hidden for all repositories.
|
||||
{% data reusables.dependabot.target-alerts-metadata %}
|
||||
1. Under "Rules", select the action you want to take on alerts that match the metadata:
|
||||
- Select **Dismiss alerts** to auto-dismiss alerts that match the metadata. You can choose to dismiss alerts indefinitely, or until a patch is available.{% ifversion dependabot-alerts-custom-rules-updates %}
|
||||
- Select **Open a pull request to resolve this alert** if you want {% data variables.product.prodname_dependabot %} to suggest changes to resolve alerts that match the metadata. Note that this option is unavailable if you have selected the option to dismiss the alerts indefinitely.{% endif %}
|
||||
- Select **Dismiss alerts** to auto-dismiss alerts that match the metadata. You can choose to dismiss alerts indefinitely, or until a patch is available.
|
||||
- Select **Open a pull request to resolve this alert** if you want {% data variables.product.prodname_dependabot %} to suggest changes to resolve alerts that match the metadata. Note that this option is unavailable if you have selected the option to dismiss the alerts indefinitely.
|
||||
{% data reusables.dependabot.dependabot-alert-rules-click-create-rule %}
|
||||
|
||||
## Editing or deleting a custom alert rule for your repository
|
||||
|
|
@ -124,5 +118,3 @@ For more information about enabling or disabling {% data variables.product.prodn
|
|||
1. Under "Organization rules", to the right of the alert rule that you want to edit or delete, click {% octicon "pencil" aria-label="Edit custom rule" %}.
|
||||
{% data reusables.dependabot.custom-alert-rules-edit-rule %}
|
||||
{% data reusables.dependabot.custom-alert-rules-delete-rule %}
|
||||
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ shortTitle: Dependabot alert rules
|
|||
intro: 'You can use {% data variables.product.prodname_dependabot %} alert rules to auto-triage {% data variables.product.prodname_dependabot_alerts %}.'
|
||||
allowTitleToDifferFromFilename: true
|
||||
versions:
|
||||
feature: dependabot-alert-rules-auto-dismissal-npm-dev-dependencies
|
||||
feature: dependabot-auto-triage-rules
|
||||
topics:
|
||||
- Dependabot
|
||||
- Alerts
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ title: Managing alerts that have been automatically dismissed by an alert rule
|
|||
intro: 'You can filter to see which alerts have been auto-dismissed by an alert rule, and you can reopen dismissed alerts.'
|
||||
allowTitleToDifferFromFilename: true
|
||||
versions:
|
||||
feature: dependabot-alert-rules-auto-dismissal-npm-dev-dependencies
|
||||
feature: dependabot-auto-triage-rules
|
||||
type: how_to
|
||||
topics:
|
||||
- Dependabot
|
||||
|
|
|
|||
|
|
@ -1,9 +1,9 @@
|
|||
---
|
||||
title: Using GitHub-curated alert rules to prioritize Dependabot alerts
|
||||
intro: 'You can use a {% data variables.product.company_short %}-curated alert rule to auto-dismiss low impact development alerts for npm dependencies.'
|
||||
permissions: 'People with write permissions can view {% data variables.product.prodname_dependabot %} alert rules for the repository. People with admin permissions to a repository can enable or disable {% data variables.product.company_short %}-curated alert rules for the repository.{% ifversion dependabot-alerts-custom-rules-updates %} Organization owners and security managers can enable or disable {% data variables.product.company_short %}-curated alert rules at the organization-level and optionally choose to enforce rules for repositories in the organization.{% endif %}'
|
||||
permissions: 'People with write permissions can view {% data variables.product.prodname_dependabot %} alert rules for the repository. People with admin permissions to a repository can enable or disable {% data variables.product.company_short %}-curated alert rules for the repository. Organization owners and security managers can enable or disable {% data variables.product.company_short %}-curated alert rules at the organization-level and optionally choose to enforce rules for repositories in the organization.'
|
||||
versions:
|
||||
feature: dependabot-alert-rules-auto-dismissal-npm-dev-dependencies
|
||||
feature: dependabot-auto-triage-rules
|
||||
type: how_to
|
||||
topics:
|
||||
- Dependabot
|
||||
|
|
@ -44,19 +44,12 @@ By default, {% data variables.product.company_short %}-curated {% data variables
|
|||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-settings %}
|
||||
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
|
||||
{% ifversion dependabot-alert-custom-rules-repo-level %}
|
||||
1. Under "{% data variables.product.prodname_dependabot_alerts %}", click {% octicon "gear" aria-label="The Gear icon" %} close to "{% data variables.product.prodname_dependabot %} rules".
|
||||
|
||||
|
||||
|
||||
1. Select **Dismiss low impact alerts**.
|
||||
1. Click **Save rules**.
|
||||
{% else %}
|
||||
1. Under "{% data variables.product.prodname_dependabot_alerts %}", click **Dismiss low impact alerts**.
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Publicly disclosed CWEs used by the `Dismiss low impact alerts` rule
|
||||
|
||||
|
|
|
|||
|
|
@ -89,7 +89,7 @@ When {% data variables.product.product_name %} identifies a vulnerable dependenc
|
|||
|
||||
{% data reusables.dependabot.dependabot-alert-create-PR %}
|
||||
|
||||
{% ifversion dependabot-alert-custom-rules-repo-level %}
|
||||
{% ifversion dependabot-auto-triage-rules %}
|
||||
|
||||
{% data reusables.dependabot.dependabot-alert-rules %}
|
||||
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ You can enable or disable {% data variables.product.prodname_dependabot_alerts %
|
|||
- Your organization{% ifversion dependabot-alerts-enterprise-enablement or ghes > 3.8 %}
|
||||
- Your enterprise{% endif %}
|
||||
|
||||
{% ifversion dependabot-alert-custom-rules-repo-level %}
|
||||
{% ifversion dependabot-auto-triage-rules %}
|
||||
|
||||
{% data reusables.dependabot.dependabot-alert-rules %}
|
||||
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@ You can also audit actions taken in response to {% data variables.product.prodna
|
|||
## Prioritizing {% data variables.product.prodname_dependabot_alerts %}
|
||||
|
||||
{% data variables.product.company_short %} helps you prioritize fixing {% data variables.product.prodname_dependabot_alerts %}. {% ifversion dependabot-most-important-sort-option %} By default, {% data variables.product.prodname_dependabot_alerts %} are sorted by importance. The "Most important" sort order helps you prioritize which {% data variables.product.prodname_dependabot_alerts %} to focus on first. Alerts are ranked based on their potential impact, actionability, and relevance. Our prioritization calculation is constantly being improved and includes factors like CVSS score, dependency scope, and whether vulnerable function calls are found for the alert.
|
||||
{% ifversion dependabot-alert-rules-auto-dismissal-npm-dev-dependencies %}
|
||||
{% ifversion dependabot-auto-triage-rules %}
|
||||
You can also use alert rules to prioritize {% data variables.product.prodname_dependabot_alerts %}. For more information, see “[AUTOTITLE](/code-security/dependabot/dependabot-alert-rules/about-dependabot-alert-rules).”
|
||||
{% endif %}
|
||||
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ If {% data variables.product.prodname_dependabot_alerts %} are enabled for a rep
|
|||
|
||||
|
||||
|
||||
You can filter {% data variables.product.prodname_dependabot_alerts %} in the list, using a variety of filters or labels. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#prioritizing-dependabot-alerts)."{% ifversion dependabot-alert-rules-auto-dismissal-npm-dev-dependencies %} You can also use {% data variables.product.prodname_dependabot %} alert rules to filter out false positive alerts or alerts you're not interested in. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alert-rules/about-dependabot-alert-rules)."{% endif %}
|
||||
You can filter {% data variables.product.prodname_dependabot_alerts %} in the list, using a variety of filters or labels. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#prioritizing-dependabot-alerts)."{% ifversion dependabot-auto-triage-rules %} You can also use {% data variables.product.prodname_dependabot %} alert rules to filter out false positive alerts or alerts you're not interested in. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alert-rules/about-dependabot-alert-rules)."{% endif %}
|
||||
|
||||
1. Click the "Command Injection in lodash" alert on the `javascript/package-lock.json` file. The details page for the alert will show the following information (note that some information may not apply to all alerts):
|
||||
- Whether {% data variables.product.prodname_dependabot %} created a pull request that will fix the vulnerability. You can review the suggested security update by clicking **Review security update**.
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ View alerts about dependencies that are known to contain security vulnerabilitie
|
|||
and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)."
|
||||
{% endif %}
|
||||
|
||||
{% ifversion dependabot-alert-custom-rules-repo-level %}
|
||||
{% ifversion dependabot-auto-triage-rules %}
|
||||
|
||||
{% data reusables.dependabot.dependabot-alert-rules %}
|
||||
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@ For more information, see "[AUTOTITLE](/code-security/supply-chain-security/unde
|
|||
|
||||
{% data variables.product.prodname_dependabot_alerts %} are generated when {% data variables.product.prodname_dotcom %} identifies a dependency in the dependency graph with a vulnerability. {% ifversion fpt or ghec %}You can enable {% data variables.product.prodname_dependabot_alerts %} for any repository.{% endif %}
|
||||
|
||||
{% ifversion dependabot-alert-custom-rules-repo-level %}
|
||||
{% ifversion dependabot-auto-triage-rules %}
|
||||
|
||||
{% data reusables.dependabot.dependabot-alert-rules %}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +0,0 @@
|
|||
# Reference: Issue #10089 - Alert rules: user-configured dismiss rules for Dependabot alerts
|
||||
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
ghes: '>3.11'
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
# Reference: Issue #10052 - Safe auto-dismissals for Dependabot alerts (low impact npm devDependencies) [Public Beta]
|
||||
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
ghes: '>3.11'
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
# Reference: Issue #10068 - Dependabot alert custom rules updates (option to create a PR, org level rules)
|
||||
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
ghes: '>3.11'
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# References:
|
||||
# Issue #10052 - Safe auto-dismissals for Dependabot alerts (low impact npm devDependencies) [Public Beta]
|
||||
# Issue #10089 - Alert rules: user-configured dismiss rules for Dependabot alerts
|
||||
# Issue #10068 - Dependabot alert custom rules updates (option to create a PR, org level rules)
|
||||
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
ghes: '>3.11'
|
||||
|
|
@ -1 +1 @@
|
|||
Additionally, you can use {% data variables.product.prodname_dependabot %} alert rules to auto-triage alerts, so you can auto-dismiss alerts{% ifversion dependabot-alerts-custom-rules-updates %}, and specify which alerts you want {% data variables.product.prodname_dependabot %} to open pull requests for{% endif %}. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alert-rules/about-dependabot-alert-rules)."
|
||||
Additionally, you can use {% data variables.product.prodname_dependabot %} alert rules to auto-triage alerts, so you can auto-dismiss alerts, and specify which alerts you want {% data variables.product.prodname_dependabot %} to open pull requests for. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alert-rules/about-dependabot-alert-rules)."
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{% ifversion dependabot-alerts-custom-rules-updates %}
|
||||
{% ifversion dependabot-auto-triage-rules %}
|
||||
|
||||
{% note %}
|
||||
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче