API users can now integrate with a new dependabot_alert
webhook, which matches the naming and structure of the recently introduced Dependabot alerts REST API. You should use this webhook in place of the existing repository_vulnerability_alert
.
What's new
Improvements with the new webhook include:
- More informative payload, including state and scope of the dependency, dismissal comments, and helpful information about a vulnerability (e.g. CVE ID, summary, description, CWEs, and reference URL).
- Support for GitHub Apps with the Dependabot alerts
read
permission. - Actions on an alert now include the full set of
created
,dismissed
,reopened
,fixed
, orreintroduced
. See below for descriptions:
Action | Action definition |
---|---|
created |
github has opened the Dependabot alert |
dismissed |
GitHub user dismissed the alert with dismissed_reason and an optional dismissed_comment |
reopened |
GitHub user manually reopened the previously-dismissed alert |
fixed |
github detected the Dependabot alert is resolved |
reintroduced |
github reopened the previously-fixed alert |
Deprecation notice
The repository_vulnerability_alert
webhook is being deprecated. In 2023, we plan to remove the existing repository_vulnerability_alert
webhook, which is superseded by the dependabot_alert
webhook. We will give integrators at least 3 months notice of this removal — keep an eye on the GitHub Changelog in 2023 for more information.
Learn more about the Dependabot alerts webhook in our documentation.