Viewing metrics for Dependabot alerts

You can use security overview to see how many Dependabot alerts are in repositories across your organization, to prioritize the most critical alerts to fix, and to identify repositories where you may need to take action.

Qui peut utiliser cette fonctionnalité ?

L’accès nécessite :

  • Vues de l’organisation : accès en écriture aux référentiels de l’organisation
  • Vues d’entreprise : propriétaires et responsables de la sécurité de l’organisation

Organisations appartenant à un compte GitHub Team avec GitHub Code Security, ou appartenant à un compte GitHub Enterprise avec GitHub Code Security

Dans cet article

About metrics for Dependabot

The metrics overview for Dependabot provides valuable insights for both developers and application security (AppSec) managers. The data in the Dependabot dashboard page contains a vulnerability prioritization funnel that helps with efficiently prioritizing, remediating, and tracking vulnerabilities across multiple repositories. This ensures that the most critical risks are addressed first and that security improvements can be measured over time.

For more information about how AppSec managers can best use these metrics to optimize alert fixing, see Classement des alertes Dependabot par ordre de priorité à l’aide de mesures.

You can see Dependabot metrics if you have:

The available metrics combine severity, exploitability, and patch availability, and help in the following ways:

  • Alert prioritization: the chart shows the number of open Dependabot alerts. You can use filters, such as availability of patches, severity, EPSS score to narrow down the list of alerts to those matching the criteria. Consultez Filtres de tableau de bord Dependabot.

  • Remediation tracking: The “Alerts closed” tile shows the number of alerts fixed with Dependabot, manually dismissed, and auto dismissed, providing visibility into remediation performance and trends. The tile also shows the percent increase in the number of alerts closed in the last 30 days.

  • Highest-risk package: The "Most vulnerabilities" tile shows the dependency that has the most vulnerabilities in the organization. The tile also provides a link to the related alerts across all your repositories.

  • Repository-level breakdown: The table shows a breakdown of open alerts by repository, including counts by severity (critical, high, medium, low) and by exploitability (for example, EPSS > 1%), and can be sorted by each column. This helps you identify which projects are most at risk, prioritize remediation efforts where they matter most, and track progress over time at a granular level.

These metrics help managers measure the effectiveness of their vulnerability management and ensure compliance with organizational or regulatory timelines.

  • Actionable context for developers: Developers can use the severity and patch availability filters to identify vulnerabilities they can fix immediately, reducing noise and focusing attention on issues they can address. These metrics help them understand the risk profile of their dependencies, enabling informed prioritization of work.

Viewing metrics for Dependabot for an organization

  1. Sur GitHub, accédez à la page principale de l’organisation.

  2. Sous le nom de votre organisation, cliquez sur Securité.

    Capture d’écran de la barre de navigation horizontale d’une organisation. Un onglet, avec une icône de bouclier et le texte « Sécurité », est mis en évidence avec un encadré orange foncé.

  3. In the sidebar, under "Metrics", click Dependabot dashboard.

  4. Optionally, use the filters at your disposal, or build your own filters. Consultez Filtres de tableau de bord Dependabot.

  5. Optionally, click on a number on the x-axis of the chart to filter the alert list by the relevant criteria (for example has:patch severity:critical,high epss_percentage:>=0.01).

  6. Optionally, click on an individual repository to see the associated Dependabot alerts.

Configuring funnel categories

The default funnel order is has:patch, severity:critical,high, epss_percentage>=0.01. By tailoring the funnel’s order, you and your teams can focus on the vulnerabilities that matter most to your organization, environments, or regulatory obligations, making remediation efforts more effective and aligned with your specific needs.

  1. Sur GitHub, accédez à la page principale de l’organisation.

  2. Sous le nom de votre organisation, cliquez sur Securité.

    Capture d’écran de la barre de navigation horizontale d’une organisation. Un onglet, avec une icône de bouclier et le texte « Sécurité », est mis en évidence avec un encadré orange foncé.

  3. In the sidebar, under "Metrics", click Dependabot dashboard.

  4. On the top right of the "Alert prioritization" graph, click .

  5. In the "Configure funnel order" dialog, move the criteria as desired.

  6. Once you're done, click Move to save your changes.

Conseil

You can reset the funnel order back to the default settings by clicking Reset to default to the right of the graph.