Github Dependabot
  • 13 Oct 2024
  • 3 Minutes to read
  • Contributors
  • Dark
    Light

Github Dependabot

  • Dark
    Light

Article summary

Dependabot alerts tell you when your code depends on a package that is insecure. Often, software is built using open-source code packages from a large variety of sources. The complex relationships between these dependencies, and the ease with which malicious actors can insert malware into upstream code, mean that you may unknowingly be using dependencies that have security flaws, also known as vulnerabilities.

GitHub sends Dependabot alerts when it detect that your repository uses a vulnerable dependency.

Integration Method: API

Tables: Vulnerability Finding

Platform Compatibility

This integration has been tested against the Github API version 2022-11-28.

Integration

To connect DataBee and Github Dependabot for the purpose of getting vulnerability finding related information. The Databee platform needs to connect to the Github Dependabot alerts API to fetch this information. This API endpoint as well as its example response is shown below.

Github Dependabot Configuration

  1. Login to your Github account.

  2. In the upper-right corner of any page on GitHub, click your profile photo, then click Settings.

  1. In the left sidebar, click Developer settings.

  1. In the left sidebar, under Personal access tokens, click Fine-grained tokens.

  2. Click Generate new token.

  1. Under Token name, enter a name for the token.

  2. Under Expiration, select an expiration for the token. Ensure that the token expiration is set to a larger number of days.

  3. Optionally, under Description, add a note to describe the purpose of the token.

  4. Under Resource owner, select a resource owner. The token will only be able to access resources owned by the selected resource owner. Organizations that you are a member of will not appear unless the organization opted in to fine-grained personal access tokens. For more information, see "Setting a personal access token policy for your organization."

  1. Optionally, if the resource owner is an organization that requires approval for fine-grained personal access tokens, below the resource owner, in the box, enter a justification for the request.

  2. Under Repository access, select which repositories you want the token to access. You should choose the minimal repository access that meets your needs. Tokens always include read-only access to all public repositories on GitHub.

  3. If you selected Only select repositories in the previous step, under the Selected repositories dropdown, select the repositories that you want the token to access.

  4. Under Permissions, select which permissions to grant the token. Depending on which resource owner and which repository access you specified, there are repository, organization, and account permissions. You should choose the minimal permissions necessary for your needs.

  5. Ensure the Dependabot alerts permission is enabled as read-only or above.

  1. The REST API reference document for each endpoint states whether the endpoint works with fine-grained personal access tokens and states what permissions are required in order for the token to use the endpoint. Some endpoints may require multiple permissions, and some endpoints may require one of multiple permissions. For an overview of which REST API endpoints, a fine-grained personal access token can access with each permission, see "Permissions required for fine-grained personal access tokens."

  2. Click Generate token and copy the generated API token for later use.

  1. If you selected an organization as the resource owner and the organization requires approval for fine-grained personal access tokens, then your token will be marked as pending until it is reviewed by an organization administrator. Your token will only be able to read public resources until it is approved. If you are an owner of the organization, your request is automatically approved. For more information, see "Reviewing and revoking personal access tokens in your organization."

DataBee Configuration

  1. Click on the Add New Data Source button in the Data tab

  1. Search for the Github Dependabot option using the search bar in the Add New Data Source page.

  1. Select the API Ingest option and enter appropriate details in the Configure Data source form. After that click on Next button.

  1. Select the “Bearer Token” option from the Authorization Method dropdown.

  2. In the Token input boxes, provide the API key that you created in Github Dependabot Setup process.

  3. Replace <org> in the API URL(s) input box with your Github organization name.


Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Eddy AI, facilitating knowledge discovery through conversational intelligence