playframework
Workaround for GitHub API to retrieve dependabot alerts per branch
I think knowing which vulnerabilities we have/ship in our dependencies in our stable branches is very important. But currently GitHub does not support non-default branches with their Dependabot alerts.
So, time to make the impossible possible ;)
- This PR is waiting for https://github.com/scalacenter/sbt-dependency-submission/pull/249
If you have a repo that hosts a package ecosystem that is supported by GitHub's dependency graph api (like node or maven), GitHub (can) automatically scan a repos' manifest file(s) and create a dependency tree and dependabot alerts from that. The current problem is, only the default branch of a repo is currently supported. There is no way to make GitHub scan a non-default branch (e.g. in our case that would be the stable 3.0.x and 2.9.x branch).
Further, GitHub does not support Scala (sbt) project's out of the box, so that's why sbt-dependency-submission exists. We have workflows setup up with that action in the 2.9.x and 3.0.x branch. However, currently, they are useless. They do not submit anything to GitHub, GitHub just ignores the JSON it generates. That means, the alerts we see at https://github.com/playframework/playframework/security/dependabot only cover the main branch.
However, how do we see if there is a vulnerability in a dependency in the 3.0.x branch? And how could we distinguish the branches in the "Dependabot alerts" page referenced above? After a lot of research how the GitHub dependency submission API works I am pretty sure It's possible to make GitHub api do what we want. Please take a look at https://github.com/scalacenter/sbt-dependency-submission/pull/249 where I also posted a screenshot.
News from GitHub: https://github.blog/changelog/2025-03-26-transitive-dependencies-are-now-available-for-maven/ But I don't think this changes anyting, but I will check some day.
Also, actually I have an idea for another workaround.... but not working on it now.