Org wide Dependabot dashboard

[sandeshRazorpay]

Is there an easy way for the security team in an organization to look at all dependabot results in one place?

From a vulnerability management perspective, it would be helpful to have a list of all open critical issues across the org, as opposed to going through each repo.

In the absence of such a feature, does anyone have a workaround? Has anyone found a way to import all Dependabot findings into a vuln mgmt platform such as Defect Dojo?

[mwilkes-ssc]

Are there any API-based queries that might be able to generate a simple count of suggested and executed dependabot PRs?

[sitraj]

Not sure if this is still relevant, but this will help for someone who is still looking for API. I found this answer on stackoverflow. https://stackoverflow.com/questions/66356337/how-to-get-the-list-of-dependabot-alerts-via-github-api

Thanks to @bertrandmartel :D

[samigt]

Dependabot is awesome !!!

It is crucial to have a dashboard that provides an org level overview with answers to the following questions:

• Repos dependabot status
• Was ever a vulnerable version of a certain dependency been committed ?
• The number of pull requests for a current vulnerable version ?
• The number of the merged and pending pull requests ? ( + a way to remind the contributors of the pull request )
• Stats on the speed of addressing vulnerable packages would be awesome for KPIs

Thanks

[mwaddell]

I've been looking for something like this since dependabot lost its badges (#1912 and #1960) which is what we used to use for this. The REST API @sitraj mentioned is great for security issues, but not for all other pull requests.

I'm hoping that something like #4680 gets executed so I can build a dashboard off of that...

[Chan9390]

This is how I created a dashboard for Dependabot alerts: https://badshah.io/important-dependabot-feature/

Sample code: https://github.com/Chan9390/Dependabot-Dashboard

It would be great if Dependabot rolls out a native dashboard feature!

[samigt]

Tracking open, fixed and dismissed vulns slicing by date, topic, vulnerability (dev/runtime) would be awesome

[jeffwidman]

To clarify, is this feature request about "open Dependabot PR's" or "open Dependabot security alerts"??

PR's can be generated from security alerts, but can also of course be configured for general version updates.

[lorengordon]

IMO any dashboard would help track both Dependabot PRs and security alerts.

[erinhav]

👋 are you GitHub Enterprise users? I think what you're looking for currently exists with the Security Overview. It aggregates alerts at the org-level and enterprise-level, and we're also starting to beta roll-up metrics. That's in private beta but happy to add you if you'd like.

[jeffwidman]

Thanks @erinhav.

I'm going to close as this has effectively been shipped/resolved, although it's part of one of our paid products so not available to all orgs. I expect over time we'll continue to invest in improving that... for example the beta mentioned above.

[lorengordon]

@jeffwidman @erinhav Is there another feature request for something focused on a dashboard providing org-wide visibility to Dependabot updates and configs? I'm thinking something like the original Dependabot had, where you could see all your projects in one place, see their configs, see results of update runs, open dependabot prs, schedules, trigger updates, etc. Even test out new dependabot configs to check validity and propose a pr with the change (I'd highly suggest checking out the Mergify config-validator for something close to best-in-class). Right now, that doesn't really exist at all. Closest is the ability to trigger an update, but it's all spread across every repo, under the {repo}/network/updates path.