Login/Register
How to GET the list of dependabot alerts via GitHub API?
Asked Answered
Solved githubgithub-apidependabot
H

2

16

How can I GET the list of dependabot alerts available at https://github.com/{user}/{repo}/security/dependabot?page=1&q=is%3Aopen via the GitHub API?

enter image description here

I searched through the documentation but couldn't find anything there.

Thanks!

Haberdashery answered 24/2, 2021 at 17:58 Comment(0)
F
22

There is this RepositoryVulnerabilityAlert object available with the Graphql API.

For example for a specific repository, you can get all the alerts with the following query (check this out in the explorer) :

{
    repository(name: "repo-name", owner: "repo-owner") {
        vulnerabilityAlerts(first: 100) {
            nodes {
                createdAt
                dismissedAt
                securityVulnerability {
                    package {
                        name
                    }
                    advisory {
                        description
                    }
                }
            }
        }
    }
}

It also returns alerts that were dismissed which can be spotted using the dismissedAt field. But there doesn't seem to be a way to filter only "active" alerts

Sample output:

{
  "data": {
    "repository": {
      "vulnerabilityAlerts": {
        "nodes": [
          {
            "createdAt": "2018-03-05T19:13:26Z",
            "dismissedAt": null,
            "securityVulnerability": {
              "package": {
                "name": "moment"
              },
              "advisory": {
                "description": "Affected versions of `moment` are vulnerable to a low severity regular expression denial of service when parsing dates as strings.\n\n\n## Recommendation\n\nUpdate to version 2.19.3 or later."
              }
            }
          },
          ....
        ]
      }
    }
  }
}
Freeliving answered 24/2, 2021 at 18:40 Comment(5)
I'm not sure why, but I thought that all the resources available via GraphQL would also be available via Rest. That's exactly what I was looking for.Compass
So is this not available on the REST api?Collage
You can see the state, fixed/open/dismissed, with the API as well: docs.github.com/en/graphql/reference/…Haarlem
@Bertrand Do you happen to know what permission should access token have to read this data? Also is it possible to read this data using $GITHUB_TOKEN?Butterfingers
@Butterfingers I have got this working the the full repo scope. Which means the token has write access to repositories. Unfortunately I have not found a way that allows you to only use a read-only token.Burgett
S
6

Since 22nd September 2022, as per official documentation, there is now a REST endpoint, as well as GitHub CLI support, for listing Dependabot alerts.

It allows you to list alerts for:

Examples below are for obtaining alerts for a specific repository.

GitHub CLI (Bash):

gh api \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  /repos/[owner]/[repo-name]/dependabot/alerts

GitHub CLI (Powershell):

gh api `
  -H "Accept: application/vnd.github+json" `
  -H "X-GitHub-Api-Version: 2022-11-28" `
  /repos/[owner]/[repo-name]/dependabot/alerts

Directly calling the REST API (Bash):

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer [your-token]" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/repos/[owner]/[repo-name]/dependabot/alerts

Directly calling the REST API (Powershell):

$headers = @{
    "Accept"                = "application/vnd.github+json"
    "Authorization"         = "Bearer [your-token]"
    "X-GitHub-Api-Version"  = "2022-11-28"
}

Invoke-WebRequest `
    -Uri "https://api.github.com/repos/[owner]/[repo-name]/dependabot/alerts" `
    -Headers $headers

Example truncated JSON response:

[
  {
    "number": 11,
    "state": "open",
    "dependency": {
      "package": {
        "ecosystem": "npm",
        "name": "url-parse"
      },
      "manifest_path": "webapp/src/main/react-app/yarn.lock",
      "scope": "runtime"
    },
    "security_advisory": {
      "ghsa_id": "GHSA-jf5r-8hm2-f872",
      "cve_id": "CVE-2022-0691",
      "summary": "Incorrect hostname / protocol due to unstripped leading control characters.",
      "description": "Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL.\n\nIf url-parse is used in security decisions involving the hostname / protocol, and the input URL is used in a client which uses the WHATWG URL parser, the decision may be incorrect.\n\nThis can also lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs. See following example:\n`````\nconst parse = require('url-parse')\nconst express = require('express')\nconst app = express()\nconst port = 3000\n\nurl = parse(\\\"\\\\bjavascript:alert(1)\\\")\n\nconsole.log(url)\n\napp.get('/', (req, res) => {\n if (url.protocol !== \\\"javascript:\\\") {res.send(\\\"<a href=\\\\'\\\" + url.href + \\\"\\\\'>CLICK ME!</a>\\\")}\n })\n\napp.listen(port, () => {\n console.log(`Example app listening on port ${port}`)\n })\n`````",
      "severity": "medium",
      "identifiers": [
        {
          "value": "GHSA-jf5r-8hm2-f872",
          "type": "GHSA"
        },
        {
          "value": "CVE-2022-0691",
          "type": "CVE"
        }
      ],
      "references": [
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0691"
        },
        {
          "url": "https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63"
        },
        {
          "url": "https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220325-0006/"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
        },
        {
          "url": "https://github.com/advisories/GHSA-jf5r-8hm2-f872"
        }
      ],
      "published_at": "2022-02-22T00:00:30Z",
      "updated_at": "2023-02-23T22:08:49Z",
      "withdrawn_at": null,
      "vulnerabilities": [
        {
          "package": {
            "ecosystem": "npm",
            "name": "url-parse"
          },
          "severity": "medium",
          "vulnerable_version_range": "< 1.5.9",
          "first_patched_version": {
            "identifier": "1.5.9"
          }
        }
      ],
      "cvss": {
        "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
        "score": 6.5
      },
      "cwes": [
        {
          "cwe_id": "CWE-639",
          "name": "Authorization Bypass Through User-Controlled Key"
        }
      ]
    },
    "security_vulnerability": {
      "package": {
        "ecosystem": "npm",
        "name": "url-parse"
      },
      "severity": "medium",
      "vulnerable_version_range": "< 1.5.9",
      "first_patched_version": {
        "identifier": "1.5.9"
      }
    },
    "url": "https://api.github.com/repos/xxx/yyy/dependabot/alerts/11",
    "html_url": "https://github.com/xxx/yyy/security/dependabot/11",
    "created_at": "2023-04-26T21:44:23Z",
    "updated_at": "2023-04-26T21:44:23Z",
    "dismissed_at": null,
    "dismissed_by": null,
    "dismissed_reason": null,
    "dismissed_comment": null,
    "fixed_at": null,
    "auto_dismissed_at": null
  },
  ...
]

Please note that this is still in public beta. The endpoint is subject to change, but it should be available for all accounts to use.

Scumble answered 23/5, 2023 at 7:32 Comment(1)
I've noticed that the list returned in the API differs from the list available in the Repo > Security flow in the Github repository UI, and that's taking into account pagination. Anyone else notice the same?Leptospirosis

© 2022 - 2024 — McMap. All rights reserved.