API users can now integrate with a new
dependabot_alert webhook, which matches the naming and structure of the recently introduced Dependabot alerts REST API. You should use this webhook in place of the existing
Improvements with the new webhook include:
- More informative payload, including state and scope of the dependency, dismissal comments, and helpful information about a vulnerability (e.g. CVE ID, summary, description, CWEs, and reference URL).
- Support for GitHub Apps with the Dependabot alerts
- Actions on an alert now include the full set of
reintroduced. See below for descriptions:
github has opened the Dependabot alert
user dismissed the alert with
dismissed_reason and an optional
user manually reopened the previously-dismissed alert
github detected the Dependabot alert is resolved
github reopened the previously-fixed alert
repository_vulnerability_alert webhook is being deprecated. In 2023, we plan to remove the existing
repository_vulnerability_alert webhook, which is superseded by the
dependabot_alert webhook. We will give integrators at least 3 months notice of this removal — keep an eye on the GitHub Changelog in 2023 for more information.
Learn more about the Dependabot alerts webhook in our documentation.