Dependabot: How to Split Security Alerts by Teams in Monorepos #134758
Replies: 3 comments
-
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
To effectively split the alerts from the Gradle and npm ecosystems between the two teams in your mono-repo setup, you can leverage GitHub’s code ownership feature more granularly. Here’s how to approach it: Define Code Owners for Each Directory: Ensure that you have a .github/CODEOWNERS file that explicitly assigns code ownership for the respective directories. For example: /project-1/ @org/team-1 Use Reviewers in Dependabot Config: You already have specified reviewers in your Dependabot configuration. This will help route the pull requests generated from the alerts to the correct team for review, ensuring they are notified about relevant updates. Check Alert Filtering: Make sure that the alert dashboard is set to properly filter by code owners. Alerts should then display based on the ownership defined in the CODEOWNERS file, allowing each team to see only the alerts relevant to their respective ecosystem. By clearly defining code ownership and leveraging GitHub’s built-in filtering, each team can focus on the alerts that matter most to them without the need to restructure your repository. |
Beta Was this translation helpful? Give feedback.
-
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
Select Topic Area
Question
Body
Hello,
We have a mono-repo like project where different modules are built with different toolings of choice and the Dependabot configuration reflects that as follows:
Both teams have codeownership to the repository. When we view the alert dashboard under
https://github.com/orgs/<ORG?/security/overview
, the alerts from both ecosystems are attributed to both of the teams. Let's say we have 2 alerts fromgradle
ecosystem and 3 fromnpm
. When we filter byteam: team-1
, 5 alerts are reported for the repository. Such is also the case for the second team. How can we make this split for the two teams so that one only getsgradle
alerts and the other one only getsnpm
alerts, without breaking up the repository?Beta Was this translation helpful? Give feedback.
All reactions