-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Dependabot alerts #11
Comments
For secret scanning, I'm giving this one another review before approving and merging: #7 |
The secret scanning PR has been thoroughly tested. I'll try to get other feedback this week so it can be merged asap! |
Resolved Dependabot alerts are still not retained, but there are ways to sync the actual security/updates: https://github.com/namin2/dependabot_jira |
@cmboling, why does Dependabot not retaining alerts after being resolved pose a problem? |
Howdy @mario-campos!! In the case of Dependabot, I don't see any issues with syncing the Dependabot alerts, but when it comes to having a clear source of truth, it may possibly lead to confusion at first. For example, there would be a Jira issue mapped to some resolved Dependabot alert (because it was open and was synced to Jira at some point) but there's no indication of a resolved alert in the UI or in the endpoint. Because we know how Dependabot security updates treats resolved alerts, we can say/assume the alert was resolved and deleted and implement such logic in this integration. We could definitely make it work, but it's a bit weird to see that inconsistency. For the So if we could retain alerts... THAT WOULD BE THE BEST INTERNET CHRISTMAS GIFT EVER. 🌴 For anyone else reading.. apologies for the delay! Hang in there. 💟 But yeah if a user has Dependabot security updates enabled, that's perfect because we can easily sync it, such as the integration mentioned above. Definitely recommend that approach for now if at all possible. |
I also changed the title since we already got the secret scanning stuff merge 😄 |
Just checking in the status of this issue/request. I know there has a been changes to dependabot alert persistence and GraphQL API in the recent months, and I was curious if the new features are enough to enable syncing of dependabot alerts now? |
Bump -> Any progress on dependabot alerts? |
Dependabot adding API support in Q3 might remove some blockers here - github/roadmap#495 |
With Code Scanning alerts now being part of the Jira Application, does the development effort for Dependabot sync make more sense to occur here or there? |
Any update to adding Dependabot alerts? |
Any updates here? This would greatly streamline my Jira workflow. |
@pladuke |
@pladuke Who ran a GHAS evaluation? A customer of yours our a team within GitHub? Does this mean this feature will be worked on? |
Any progress on dependabot alerts? |
It would be great to include support for the other types of GHAS alerts:
The text was updated successfully, but these errors were encountered: