dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard
verified publisher icon dependabot

Org wide Dependabot dashboard

Open sandeshRazorpay opened this issue 5 years ago • 24 comments

Is there an easy way for the security team in an organization to look at all dependabot results in one place?

From a vulnerability management perspective, it would be helpful to have a list of all open critical issues across the org, as opposed to going through each repo.

In the absence of such a feature, does anyone have a workaround? Has anyone found a way to import all Dependabot findings into a vuln mgmt platform such as Defect Dojo?

sandeshRazorpay avatar Jan 03 '21 15:01 sandeshRazorpay

Are there any API-based queries that might be able to generate a simple count of suggested and executed dependabot PRs?

mwilkes-ssc avatar Jun 16 '21 18:06 mwilkes-ssc

Not sure if this is still relevant, but this will help for someone who is still looking for API. I found this answer on stackoverflow. https://stackoverflow.com/questions/66356337/how-to-get-the-list-of-dependabot-alerts-via-github-api

Thanks to @bertrandmartel :D

sitraj avatar Sep 09 '21 05:09 sitraj

Dependabot is awesome !!!

It is crucial to have a dashboard that provides an org level overview with answers to the following questions:

  • Repos dependabot status
  • Was ever a vulnerable version of a certain dependency been committed ?
  • The number of pull requests for a current vulnerable version ?
  • The number of the merged and pending pull requests ? ( + a way to remind the contributors of the pull request )
  • Stats on the speed of addressing vulnerable packages would be awesome for KPIs

Thanks

samigt avatar Nov 08 '21 15:11 samigt

I've been looking for something like this since dependabot lost its badges (#1912 and #1960) which is what we used to use for this. The REST API @sitraj mentioned is great for security issues, but not for all other pull requests.

I'm hoping that something like #4680 gets executed so I can build a dashboard off of that...

mwaddell avatar Jan 29 '22 18:01 mwaddell

This is how I created a dashboard for Dependabot alerts: https://badshah.io/important-dependabot-feature/

Sample code: https://github.com/Chan9390/Dependabot-Dashboard

It would be great if Dependabot rolls out a native dashboard feature!

Chan9390 avatar Dec 11 '22 12:12 Chan9390

Tracking open, fixed and dismissed vulns slicing by date, topic, vulnerability (dev/runtime) would be awesome

samigt avatar Dec 12 '22 13:12 samigt

To clarify, is this feature request about "open Dependabot PR's" or "open Dependabot security alerts"??

PR's can be generated from security alerts, but can also of course be configured for general version updates.

jeffwidman avatar Jan 30 '23 16:01 jeffwidman

IMO any dashboard would help track both Dependabot PRs and security alerts.

lorengordon avatar Jan 30 '23 22:01 lorengordon

👋 are you GitHub Enterprise users? I think what you're looking for currently exists with the Security Overview. It aggregates alerts at the org-level and enterprise-level, and we're also starting to beta roll-up metrics. That's in private beta but happy to add you if you'd like.

erinhav avatar Feb 11 '23 01:02 erinhav

Thanks @erinhav.

I'm going to close as this has effectively been shipped/resolved, although it's part of one of our paid products so not available to all orgs. I expect over time we'll continue to invest in improving that... for example the beta mentioned above.

jeffwidman avatar Feb 11 '23 06:02 jeffwidman

@jeffwidman @erinhav Is there another feature request for something focused on a dashboard providing org-wide visibility to Dependabot updates and configs? I'm thinking something like the original Dependabot had, where you could see all your projects in one place, see their configs, see results of update runs, open dependabot prs, schedules, trigger updates, etc. Even test out new dependabot configs to check validity and propose a pr with the change (I'd highly suggest checking out the Mergify config-validator for something close to best-in-class). Right now, that doesn't really exist at all. Closest is the ability to trigger an update, but it's all spread across every repo, under the {repo}/network/updates path.

lorengordon avatar Feb 11 '23 16:02 lorengordon

That is a reasonable request. I'm not convinced this issue tracker is the best place to track that, but I'm also not sure where to redirect you towards so for now I'll reopen so we don't lose track...

jeffwidman avatar Feb 11 '23 16:02 jeffwidman

This new API is tangentially related to this issue:

  • https://github.blog/changelog/2023-07-11-update-and-show-status-of-dependabot-security-updates-in-api/

Although it doesn't directly address this issue, but nevertheless I suspect it's still useful to some of the folks subscribed to this issue.

jeffwidman avatar Aug 07 '23 19:08 jeffwidman

👋 Hello! Product Manager for Dependabot here. I’m currently doing research into adding/improving configuration for security updates, and am looking for user input. This issue is similar to things I’m thinking about, so if you’re subscribed to this and you’re open to a short conversation with me, please feel free to select a time in my calendar that fits your schedule here: https://calendar.app.google/7RSxjJJo9FdvRHNz7

carogalvin avatar Aug 09 '23 19:08 carogalvin

Hello, Product Manager for Dependabot!

I'd like the same dashboard as what RenovateBot has! :)

Currently Dependabot has quite a bit of "hidden state" in my opinion, which is undesirable.

torokati44 avatar Apr 04 '24 15:04 torokati44

Oh, there is a repo-wide dashboard here: https://github.com/[org]/[repo]/network/updates

Never mind then! A link or two to it would make it more discoverable though...

torokati44 avatar Apr 04 '24 17:04 torokati44

Hi,

I know Dependabot currently provides an option to see open Security Advisories for a particular GitHub repository. I also know it's possible to group them per ecosystem (for example Ruby bundler, javascript, etc.)

For us however, it would be super beneficial to group open Security Advisories per teams within Github.

For context - we are currently looking into improving our Operational Excellence and want to have a generic dashboard within DataDog, that includes open security vulnerabilities. We want to have those operational excellence dashboards per team, with their own business metrics but also having some generic bits all teams should have - like open Security Advisories being one of them.

Having a link for example like this, that we could put into our DataDog dashboard:

https://github.com/[organisation]/[team]/security/dependabot

with a list of open Dependabot issues grouped per team in Github, would be greatly beneficial!

alekgosk avatar May 31 '24 09:05 alekgosk

Feel free to reach out to @carlincherry if you want to try out a private preview

abdulapopoola avatar May 10 '25 16:05 abdulapopoola

@abdulapopoola I tried reaching out via Linkedin and no response, any other way to contact Carlin?

alekgosk avatar May 13 '25 07:05 alekgosk

Hi @alekgosk! A couple of screening questions:

  • Is the company you work for part of GHAS (GitHub Advanced Security) or open source?
  • What's the organization name?

Feel free to email if any of this is sensitive information. [email protected]

carlincherry avatar May 14 '25 23:05 carlincherry