Skip to content

Commit

Permalink
Remove references to redundant versions part 7 (Dependabot) (#52367)
Browse files Browse the repository at this point in the history
  • Loading branch information
felicitymay authored Sep 22, 2024
1 parent e163e23 commit 48c57ec
Show file tree
Hide file tree
Showing 9 changed files with 10 additions and 22 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -42,19 +42,17 @@ You can also audit actions taken in response to {% data variables.product.prodna

## Prioritizing {% data variables.product.prodname_dependabot_alerts %}

{% data variables.product.company_short %} helps you prioritize fixing {% data variables.product.prodname_dependabot_alerts %}. {% ifversion dependabot-most-important-sort-option %} By default, {% data variables.product.prodname_dependabot_alerts %} are sorted by importance. The "Most important" sort order helps you prioritize which {% data variables.product.prodname_dependabot_alerts %} to focus on first. Alerts are ranked based on their potential impact, actionability, and relevance. Our prioritization calculation is constantly being improved and includes factors like CVSS score, dependency scope, and whether vulnerable function calls are found for the alert.
{% data variables.product.company_short %} helps you prioritize fixing {% data variables.product.prodname_dependabot_alerts %}. By default, {% data variables.product.prodname_dependabot_alerts %} are sorted by importance. The "Most important" sort order helps you prioritize which {% data variables.product.prodname_dependabot_alerts %} to focus on first. Alerts are ranked based on their potential impact, actionability, and relevance. Our prioritization calculation is constantly being improved and includes factors like CVSS score, dependency scope, and whether vulnerable function calls are found for the alert.
{% ifversion dependabot-auto-triage-rules %}
You can also use {% data variables.dependabot.auto_triage_rules %} to prioritize {% data variables.product.prodname_dependabot_alerts %}. For more information, see “[AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules).”
{% endif %}

{% data reusables.dependabot.dependabot-alerts-filters %}

In addition to the filters available via the search bar, you can sort and filter {% data variables.product.prodname_dependabot_alerts %} using the dropdown menus at the top of the alert list. {% ifversion dependabot-filter-label-security-advisory %}Alternatively, to filter by label, click a label assigned to an alert to automatically apply that filter to the alert list.{% endif %}
In addition to the filters available via the search bar, you can sort and filter {% data variables.product.prodname_dependabot_alerts %} using the dropdown menus at the top of the alert list. Alternatively, to filter by label, click a label assigned to an alert to automatically apply that filter to the alert list.

The search bar also allows for full text searching of alerts and related security advisories. You can search for part of a security advisory name or description to return the alerts in your repository that relate to that security advisory. For example, searching for `yaml.load() API could execute arbitrary code` will return {% data variables.product.prodname_dependabot_alerts %} linked to "[PyYAML insecurely deserializes YAML strings leading to arbitrary code execution](https://github.com/advisories/GHSA-rprw-h62v-c2w7)" as the search string appears in the advisory description.

{% endif %}

![Screenshot of the filter and sort menus in the {% data variables.product.prodname_dependabot_alerts %} tab.](/assets/images/help/graphs/dependabot-alerts-filters-checkbox.png)

## Supported ecosystems and manifests for dependency scope
Expand Down Expand Up @@ -109,15 +107,13 @@ For more information, see "[Reviewing and fixing alerts](#reviewing-and-fixing-a
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.sidebar-dependabot-alerts %}
1. Optionally, to filter alerts, select a filter in a dropdown menu then click the filter that you would like to apply. You can also type filters into the search bar. {% ifversion dependabot-filter-label-security-advisory %}Alternatively, to filter by label, click a label assigned to an alert to automatically apply that filter to the alert list.{% endif %} For more information about filtering and sorting alerts, see "[Prioritizing {% data variables.product.prodname_dependabot_alerts %}](#prioritizing-dependabot-alerts)."
1. Optionally, to filter alerts, select a filter in a dropdown menu then click the filter that you would like to apply. You can also type filters into the search bar. Alternatively, to filter by label, click a label assigned to an alert to automatically apply that filter to the alert list. For more information about filtering and sorting alerts, see "[Prioritizing {% data variables.product.prodname_dependabot_alerts %}](#prioritizing-dependabot-alerts)."

![Screenshot of the filter and sort menus in the {% data variables.product.prodname_dependabot_alerts %} tab.](/assets/images/help/graphs/dependabot-alerts-filters-checkbox.png)
1. Click the alert that you would like to view.
{% ifversion dependabot-filter-label-security-advisory %}
1. Optionally, to suggest an improvement to the related security advisory, on the right-hand side of the alert details page, click **Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}**. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)."

![Screenshot of the right sidebar of a {% data variables.product.prodname_dependabot %} alert. A link, titled "Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}", is highlighted with an orange outline.](/assets/images/help/dependabot/dependabot-improve-security-advisory.png)
{% endif %}

## Reviewing and fixing alerts

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1193,8 +1193,6 @@ registries:

{% endraw %}

{% ifversion dependabot-hex-self-hosted-support %}

### `hex-repository`

The `hex-repository` type supports an authentication key.
Expand All @@ -1215,7 +1213,7 @@ registries:
public-key-fingerprint: ${{secrets.MY_PUBLIC_KEY_FINGERPRINT}}
```

{% endraw %}{% endif %}
{% endraw %}

### `maven-repository`

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,7 @@ shortTitle: Configure access to private registries

In most ecosystems, private dependencies are usually published to private package registries. These private registries are similar to their public equivalents, but they require authentication.

{% ifversion dependabot-private-registries %}
For specific ecosystems, you can configure {% data variables.product.prodname_dependabot %} to access _only_ private registries by removing calls to public registries. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries)."
{% endif %}

{% ifversion dependabot-on-actions-self-hosted %}To allow {% data variables.product.prodname_dependabot %} access to registries hosted privately or restricted to internal networks, configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners)."{% endif %}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -684,7 +684,7 @@ If you are restricting which IPs can reach your Nexus host, you need to add the
* "3.217.93.44/32"
For more information, see [Securing Nexus Repository Manager](https://help.sonatype.com/repomanager3/planning-your-implementation/securing-nexus-repository-manager) in the Sonatype documentation.

Registries can be proxied to reach out to a public registry in case a dependency is not available in the private registry.{% ifversion dependabot-private-registries %} However, you may want {% data variables.product.prodname_dependabot %} to only access the private registry and not access the public registry at all. For more information, see "[Quick Start Guide - Proxying Maven and NPM](https://help.sonatype.com/repomanager3/planning-your-implementation/quick-start-guide---proxying-maven-and-npm)" in the Sonatype documentation, and "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries)."{% endif %}
Registries can be proxied to reach out to a public registry in case a dependency is not available in the private registry. However, you may want {% data variables.product.prodname_dependabot %} to only access the private registry and not access the public registry at all. For more information, see "[Quick Start Guide - Proxying Maven and NPM](https://help.sonatype.com/repomanager3/planning-your-implementation/quick-start-guide---proxying-maven-and-npm)" in the Sonatype documentation, and "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries)."

### ProGet

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ title: Removing Dependabot access to public registries
intro: 'Examples of how you can configure {% data variables.product.prodname_dependabot %} to only access private registries by removing calls to public registries.'
permissions: 'People with write permissions to a repository can configure {% data variables.product.prodname_dependabot %} for the repository.'
versions:
feature: dependabot-private-registries
fpt: '*'
ghes: '*'
ghec: '*'
type: how_to
topics:
- Dependabot
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -63,16 +63,12 @@ You can also integrate webhook payloads into other tools you use to monitor and

You can use the API to list and interact with security alerts, for example, getting the most recent information about updates or dismissals of an alert. You can also use the API to make additional updates to the alert or to automate follow-up actions, such as creating a new issue for each alert that needs further action. Only the current status of an alert is reported by the API.

{% ifversion dependabot-alerts-rest-api %}

### {% data variables.product.prodname_dependabot %} alerts API

You can list all {% data variables.product.prodname_dependabot %} alerts for a repository, organization, or enterprise, or use path parameters to list only alerts that meet a specific set of criteria. For example, you might only want to list {% data variables.product.prodname_dependabot %} alerts for Maven that were dismissed. Alternatively, you can get full details for an alert or update the alert.

For more information, see "[{% data variables.product.prodname_dependabot %} alerts](/rest/dependabot/alerts#about-dependabot-alerts)."

{% endif %}

### {% data variables.product.prodname_secret_scanning_caps %} alerts API

You can list all {% data variables.product.prodname_secret_scanning %} alerts for a repository, organization, or enterprise, or use path parameters to list only alerts that meet a specific set of criteria. Alternatively, you can get full details for an alert or update the alert.
Expand Down
2 changes: 1 addition & 1 deletion data/reusables/dependabot/configuration-options.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
| [`open-pull-requests-limit`](#open-pull-requests-limit) | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Limit number of open pull requests for version updates |
| [`pull-request-branch-name.separator`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#pull-request-branch-nameseparator) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Change separator for pull request branch names |
| [`rebase-strategy`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rebase-strategy) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Disable automatic rebasing |
| [`registries`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#registries) | {% octicon "x" aria-label="Not supported" %} | {% ifversion dependabot-private-registries %}{% octicon "check" aria-label="Supported" %}{% endif %} | {% octicon "check" aria-label="Supported" %} | Private registries that {% data variables.product.prodname_dependabot %} can access|
| [`registries`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#registries) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Private registries that {% data variables.product.prodname_dependabot %} can access|
| [`reviewers`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Reviewers to set on pull requests |
| [`schedule.day`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleday) | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Day of week to check for updates |
| [`schedule.time`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduletime) | {% octicon "x" aria-label="Not supported" %}| {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Time of day to check for updates (hh:mm) |
Expand Down
2 changes: 0 additions & 2 deletions data/reusables/dependabot/dependabot-alerts-filters.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,4 @@ You can sort and filter {% data variables.product.prodname_dependabot_alerts %}
| `repo` | Displays alerts based on the repository they relate to</br>Note that this filter is only available for security overview. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)" | Use `repo:octocat-repo` to show alerts in the repository called `octocat-repo` |
| `scope` | Displays alerts based on the scope of the dependency they relate to | Use `scope:development` to show alerts for dependencies that are only used during development |
| `severity` | Displays alerts based on their level of severity | Use `severity:high` to show alerts with a severity of High |
| {% ifversion dependabot-most-important-sort-option %} |
| `sort` | Displays alerts according to the selected sort order | The default sorting option for alerts is `sort:most-important`, which ranks alerts by importance</br>Use `sort:newest` to show the latest alerts reported by {% data variables.product.prodname_dependabot %} |
| {% endif %} |
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,4 @@ You use the following options to specify access settings. Registry settings must
| `password` | A reference to a {% data variables.product.prodname_dependabot %} secret containing the password for the specified user. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)."</br>`password` is the password for the account specified by the username. {% data reusables.dependabot.password-definition %} |
| `key` | A reference to a {% data variables.product.prodname_dependabot %} secret containing an access key for this registry. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)." |
| `token` | A reference to a {% data variables.product.prodname_dependabot %} secret containing an access token for this registry. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)."</br>`token` is used to provide an access token for an external system and should not be used to provide a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}. If you want to use a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}, you should supply it as a password. |
| `replaces-base` | For registries{% ifversion dependabot-private-registries %}, if the boolean value is `true`, {% data variables.product.prodname_dependabot %} will resolve dependencies by using the specified URL rather than the base URL of that specific ecosystem. For example, for registries{% endif %} with `type: python-index`, if the boolean value is `true`, pip resolves dependencies by using the specified URL rather than the base URL of the Python Package Index (by default `https://pypi.org/simple`). |
| `replaces-base` | For registries, if the boolean value is `true`, {% data variables.product.prodname_dependabot %} will resolve dependencies by using the specified URL rather than the base URL of that specific ecosystem. For example, for registries with `type: python-index`, if the boolean value is `true`, pip resolves dependencies by using the specified URL rather than the base URL of the Python Package Index (by default `https://pypi.org/simple`). |

0 comments on commit 48c57ec

Please sign in to comment.