Skip to content

Dependabot Alert API adds relevant update info to the schema

A new DependabotUpdate GraphQL object connects the relevant repository's Dependabot alert(s) – aka vulnerabilityAlerts – to the Dependabot generated pull request or error.

query($repo_owner:String!, $repo_name:String!) {
  repository(owner: $repo_owner, name: $repo_name) {
    vulnerabilityAlerts(first: 1) {
      nodes {
        dependabotUpdate {
          pullRequest {
            number
            title
          }
        }
      }
    }
  }
}
{
  "data": {
    "repository": {
      "vulnerabilityAlerts": {
        "nodes": [
          {
            "dependabotUpdate": {
              "pullRequest": {
                "number": 4772,
                "title": "build(deps): bump object-path from 0.11.5 to 0.11.8 in /npm_and_yarn/helpers"
              }
            }
          }
        ]
      }
    }
  }
}

In some cases, Dependabot fails to open a pull request. Previously, the error message that Dependabot generated was only visible in the Dependabot Alerts section of the Security tab.

Screenshot of Dependabot Security Tab

Now, if Dependabot runs into an error when trying to open a pull request for a Dependabot alert, you can see the error in the API.

query($repo_owner:String!, $repo_name:String!) {
  repository(owner: $repo_owner, name: $repo_name) {
    vulnerabilityAlerts(first: 1) {
      nodes {
        dependabotUpdate {
          pullRequest {
            number
            title
          }
          error {
            title
            body
            errorType
          }
        }
      }
    }
  }
}
{
  "data": {
    "repository": {
      "vulnerabilityAlerts": {
        "nodes": [
          {
            "dependabotUpdate": {
              "pullRequest": null,
              "error": {
                "title": "Dependabot cannot update braces to a non-vulnerable version",
                "body": "The latest possible version of braces that can be installed is `1.8.5`.\n\nThe earliest fixed version is `2.3.1`.",
                "errorType": "security_update_not_possible"
              }
            }
          }
        ]
      }
    }
  }
}

We want your feedback! Let us know how you are using DependabotUpdate and give us your feedback in this GitHub discussion.

See the full API documentation in our GraphQL docs.

GitHub Action for dependency review enforcement

A new GitHub Action enforces dependency reviews on PRs by scanning for dependencies and warning you about any associated security vulnerabilities. This is supported by a new API endpoint that diffs the dependencies between any two revisions.

The dependency review action is available for use in public repositories. The action is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security.

Learn more about dependency review enforcement.

See more

Secret scanning webhooks for alert locations

GitHub Advanced Security customers using secret scanning can now opt to receive a webhook each time a secret is detected in a new location. The secret_scanning_alert_location webhook event includes location details, like the commit SHA, and the associated alert for the detection. A location is created for every new file path containing the detected secret.

See more
View all changes