Release
Dependabot alerts now support production context prioritization in public preview
Dependabot alerts can now be filtered and prioritized using production context from external artifact registries, including JFrog Artifactory, and your own CI/CD workflows. This feature is available in public preview.
Security teams can focus remediation on alerts that impact artifacts actually promoted to production, helping reduce noise and accelerate response times.
- Use the new Storage Record API to send artifact promotion events from your registry or CI/CD workflow to GitHub.
- JFrog Artifactory users can enable the GitHub integration in Artifactory settings to automatically emit promotion events with no extra setup required.
- In Dependabot alert views, use the
artifact-registry:jfrog-artifactory
orartifact-registry-url:
filters to focus on vulnerabilities present in production-approved artifacts. - Combine the new filters with other existing filters, such as EPSS or CVSS, for advanced alert prioritization.
For more details, check out the documentation:
- Prioritizing Dependabot alerts using production context
- JFrog and GitHub Integration: JFrog for Dependabot
- Storage Record API reference
Share your thoughts or questions on the GitHub Community.