Secret scanning custom pattern events now in the audit log

The audit log now includes events associated with secret scanning custom patterns. This data helps GitHub Advanced Security customers understand actions taken on their repository, organization, or enterprise level custom patterns for security and compliance audits.

New events will be added to the audit log when a custom pattern is created, updated, or deleted.

A new DependabotUpdate GraphQL object connects the relevant repository's Dependabot alert(s) – aka vulnerabilityAlerts – to the Dependabot generated pull request or error.

query($repo_owner:String!, $repo_name:String!) {
  repository(owner: $repo_owner, name: $repo_name) {
    vulnerabilityAlerts(first: 1) {
      nodes {
        dependabotUpdate {
          pullRequest {
            number
            title
          }
        }
      }
    }
  }
}
{
  "data": {
    "repository": {
      "vulnerabilityAlerts": {
        "nodes": [
          {
            "dependabotUpdate": {
              "pullRequest": {
                "number": 4772,
                "title": "build(deps): bump object-path from 0.11.5 to 0.11.8 in /npm_and_yarn/helpers"
              }
            }
          }
        ]
      }
    }
  }
}

In some cases, Dependabot fails to open a pull request. Previously, the error message that Dependabot generated was only visible in the Dependabot Alerts section of the Security tab.

Screenshot of Dependabot Security Tab

Now, if Dependabot runs into an error when trying to open a pull request for a Dependabot alert, you can see the error in the API.

query($repo_owner:String!, $repo_name:String!) {
  repository(owner: $repo_owner, name: $repo_name) {
    vulnerabilityAlerts(first: 1) {
      nodes {
        dependabotUpdate {
          pullRequest {
            number
            title
          }
          error {
            title
            body
            errorType
          }
        }
      }
    }
  }
}
{
  "data": {
    "repository": {
      "vulnerabilityAlerts": {
        "nodes": [
          {
            "dependabotUpdate": {
              "pullRequest": null,
              "error": {
                "title": "Dependabot cannot update braces to a non-vulnerable version",
                "body": "The latest possible version of braces that can be installed is `1.8.5`.\n\nThe earliest fixed version is `2.3.1`.",
                "errorType": "security_update_not_possible"
              }
            }
          }
        ]
      }
    }
  }
}

We want your feedback! Let us know how you are using DependabotUpdate and give us your feedback in this GitHub discussion.

See the full API documentation in our GraphQL docs.

See more

A new GitHub Action enforces dependency reviews on PRs by scanning for dependencies and warning you about any associated security vulnerabilities. This is supported by a new API endpoint that diffs the dependencies between any two revisions.

The dependency review action is available for use in public repositories. The action is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security.

Learn more about dependency review enforcement.

See more