- Регистрация
- 09.02.2010
- Сообщения
- 270
- Реакции
- 41
- Баллы
- 28
- Native language | Родной язык
- English
Over the past few months, we’ve made a number of
In this context, we’ve defined a false positive alert as one that is unlikely to be exploitable and may only have limited effects, such as long-running builds or tests. But what’s the most responsible way to identify a false positive? Senior Product Manager, Erin Havens, explains GitHub’s unique approach:
Today’s public beta release targets a commonly-cited source of false positives: npm devDependencies. Dependabot now assesses incoming alerts against a set of GitHub-curated rules that take into account how you’re using an npm devDependency, and the level of risk it may pose to your repository. “In ecosystems with lots of dependencies like npm, false positives can cascade through a project, burdening developers with needless noise,” explains Harry Marr, Senior Director of Software Engineering for GitHub supply chain security.
Dependabot’s auto dismissal function is enabled by default for public repositories and can be enabled by administrators of private repositories on the Code Security page. When enabled, Dependabot will automatically dismiss false positive alerts and let you know via a special timeline event, supported in the audit log, webhook, REST, GraphQL, and alert-centric views. You can review auto-dismissed alerts with the
This first application of alert rules for Dependabot addresses a common pain point for npm developers, with support for additional ecosystems coming soon. Please join us in the
You do not have permission to view link please Вход or Регистрация
that make Dependabot smarter, quieter, and easier to work with, from
You do not have permission to view link please Вход or Регистрация
to making
You do not have permission to view link please Вход or Регистрация
. Today, we’re addressing the alert fatigue problem with a new allow auto-dismissal function in Dependabot that safely reduces the volume of false positive alerts that can overwhelm developers and distract from legitimate vulnerabilities.In this context, we’ve defined a false positive alert as one that is unlikely to be exploitable and may only have limited effects, such as long-running builds or tests. But what’s the most responsible way to identify a false positive? Senior Product Manager, Erin Havens, explains GitHub’s unique approach:
Today’s public beta release targets a commonly-cited source of false positives: npm devDependencies. Dependabot now assesses incoming alerts against a set of GitHub-curated rules that take into account how you’re using an npm devDependency, and the level of risk it may pose to your repository. “In ecosystems with lots of dependencies like npm, false positives can cascade through a project, burdening developers with needless noise,” explains Harry Marr, Senior Director of Software Engineering for GitHub supply chain security.
How it works
Dependabot’s auto dismissal function is enabled by default for public repositories and can be enabled by administrators of private repositories on the Code Security page. When enabled, Dependabot will automatically dismiss false positive alerts and let you know via a special timeline event, supported in the audit log, webhook, REST, GraphQL, and alert-centric views. You can review auto-dismissed alerts with the
resolution:auto-dismissed filter:
What’s next?
This first application of alert rules for Dependabot addresses a common pain point for npm developers, with support for additional ecosystems coming soon. Please join us in the
You do not have permission to view link please Вход or Регистрация
to share your feedback and ideas on how Dependabot can work better for you and other developers.Learn more about alert rules
-
You do not have permission to view link please Вход or Регистрация
-
You do not have permission to view link please Вход or Регистрация
-
You do not have permission to view link please Вход or Регистрация
