Dependabot alerts can now be filtered and prioritized using production context from external artifact registries, including JFrog Artifactory, and your own CI/CD workflows. This feature is available in public preview.

Security teams can focus remediation on alerts that impact artifacts actually promoted to production, helping reduce noise and accelerate response times.

  • Use the new Storage Record API to send artifact promotion events from your registry or CI/CD workflow to GitHub.
  • JFrog Artifactory users can enable the GitHub integration in Artifactory settings to automatically emit promotion events with no extra setup required.
  • In Dependabot alert views, use the artifact-registry:jfrog-artifactory or artifact-registry-url: filters to focus on vulnerabilities present in production-approved artifacts.
  • Combine the new filters with other existing filters, such as EPSS or CVSS, for advanced alert prioritization.

For more details, check out the documentation:

Share your thoughts or questions on the GitHub Community.