A new DependabotUpdate GraphQL object connects the relevant repository's Dependabot alert(s) – aka vulnerabilityAlerts – to the Dependabot generated pull request or error.
In some cases, Dependabot fails to open a pull request. Previously, the error message that Dependabot generated was only visible in the Dependabot Alerts section of the Security tab.
Now, if Dependabot runs into an error when trying to open a pull request for a Dependabot alert, you can see the error in the API.
query($repo_owner:String!, $repo_name:String!) {
repository(owner: $repo_owner, name: $repo_name) {
vulnerabilityAlerts(first: 1) {
nodes {
dependabotUpdate {
pullRequest {
number
title
}
error {
title
body
errorType
}
}
}
}
}
}
{
"data": {
"repository": {
"vulnerabilityAlerts": {
"nodes": [
{
"dependabotUpdate": {
"pullRequest": null,
"error": {
"title": "Dependabot cannot update braces to a non-vulnerable version",
"body": "The latest possible version of braces that can be installed is `1.8.5`.\n\nThe earliest fixed version is `2.3.1`.",
"errorType": "security_update_not_possible"
}
}
}
]
}
}
}
}
We want your feedback! Let us know how you are using DependabotUpdate and give us your feedback in this GitHub discussion.
See the full API documentation in our GraphQL docs.
A new GitHub Action enforces dependency reviews on PRs by scanning for dependencies and warning you about any associated security vulnerabilities. This is supported by a new API endpoint that diffs the dependencies between any two revisions.
The dependency review action is available for use in public repositories. The action is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security.
GitHub Advanced Security customers using secret scanning can now opt to receive a webhook each time a secret is detected in a new location. The secret_scanning_alert_location webhook event includes location details, like the commit SHA, and the associated alert for the detection. A location is created for every new file path containing the detected secret.