Dependabot introduces auto-dismissal function to reduce alert fatigue

Dependabot, GitHub’s renowned security feature, has been consistently evolving to make software dependency management more efficient and secure. Recent improvements include pausing pull requests on inactive repositories and enhancing the visibility of alerts to developers. In a bid to tackle alert fatigue caused by false positive alerts, Dependabot has now introduced an auto-dismissal function.

False positive alerts are those that, though identified as potential security threats, are unlikely to be exploitable and may only have limited effects. As Erin Havens, Senior Product Manager at GitHub, explains, GitHub adopts an innovative approach to identifying false positives by employing a contextual alert rules engine that utilizes a rich set of complex metadata.

In a significant move, Dependabot has announced the public beta release of this auto-dismissal function, which specifically targets npm devDependencies, a common source of false positive alerts. Dependabot now evaluates incoming alerts against GitHub-curated rules, factoring in the usage of npm devDependencies and their associated risk levels. Harry Marr, Senior Director of Software Engineering for GitHub supply chain security, states that auto-dismissing false positives has led to a reduction in the volume of npm alerts by approximately 15%.

The auto-dismissal function works seamlessly and is enabled by default for public repositories. Administrators of private repositories can also activate this feature on the Code Security page. Dependabot automatically dismisses false positive alerts and notifies users through a special timeline event, audit log, webhook, REST, GraphQL, and alert-centric views. To review auto-dismissed alerts, users can apply the resolution:auto-dismissed filter.

Dependabot’s commitment to enhancing security and reducing alert fatigue doesn’t end here. The upcoming roadmap includes support for additional ecosystems, as Dependabot invites users to share their feedback and ideas in the GitHub Community. To learn more about alert rules and other aspects of this feature, you can refer to the dedicated changelog, FAQ, and documentation.

In summary, Dependabot’s new auto-dismissal function equips developers with a more streamlined and efficient approach to managing security alerts. By addressing the issue of alert fatigue caused by false positives, Dependabot continues to play a crucial role in improving security while ensuring a smooth experience for developers.