Viewing metrics for Dependabot alerts

About metrics for Dependabot

The metrics overview for Dependabot provides valuable insights for both developers and application security (AppSec) managers. The data in the Dependabot dashboard page contains a vulnerability prioritization funnel that helps with efficiently prioritizing, remediating, and tracking vulnerabilities across multiple repositories. This ensures that the most critical risks are addressed first and that security improvements can be measured over time.

For more information about how AppSec managers can best use these metrics to optimize alert fixing, see 메트릭을 사용하여 Dependabot 경고 우선 순위 지정.

You can see Dependabot metrics if you have:

• The admin role for the repository.
• A custom repository role with the "View Dependabot alerts" fine-grained permissions for the repository. For more information, see 사용자 지정 리포지토리 역할 정보.
• Access to alerts for the repository. For more information, see 리포지토리에 대한 보안 및 분석 설정 관리.

The available metrics combine severity, exploitability, and patch availability, and help in the following ways:

• Alert prioritization: the chart shows the number of open Dependabot alerts. You can use filters, such as availability of patches, severity, EPSS score to narrow down the list of alerts to those matching the criteria. Dependabot 대시보드 보기 필터를 참조하세요.

• Remediation tracking: The “Alerts closed” tile shows the number of alerts fixed with Dependabot, manually dismissed, and auto dismissed, providing visibility into remediation performance and trends. The tile also shows the percent increase in the number of alerts closed in the last 30 days.

• Highest-risk package: The "Most vulnerabilities" tile shows the dependency that has the most vulnerabilities in the organization. The tile also provides a link to the related alerts across all your repositories.

• Repository-level breakdown: The table shows a breakdown of open alerts by repository, including counts by severity (critical, high, medium, low) and by exploitability (for example, EPSS > 1%), and can be sorted by each column. This helps you identify which projects are most at risk, prioritize remediation efforts where they matter most, and track progress over time at a granular level.

These metrics help managers measure the effectiveness of their vulnerability management and ensure compliance with organizational or regulatory timelines.

• Actionable context for developers: Developers can use the severity and patch availability filters to identify vulnerabilities they can fix immediately, reducing noise and focusing attention on issues they can address. These metrics help them understand the risk profile of their dependencies, enabling informed prioritization of work.

Viewing metrics for Dependabot for an organization

1. GitHub에서 조직의 기본 페이지로 이동합니다.

2. 조직 이름에서 보안을 클릭합니다.

   

3. In the sidebar, under "Metrics", click Dependabot dashboard.

4. Optionally, use the filters at your disposal, or build your own filters. Dependabot 대시보드 보기 필터를 참조하세요.

5. Optionally, click on a number on the x-axis of the chart to filter the alert list by the relevant criteria (for example has:patch severity:critical,high epss_percentage:>=0.01).

6. Optionally, click on an individual repository to see the associated Dependabot alerts.

Configuring funnel categories

The default funnel order is has:patch, severity:critical,high, epss_percentage>=0.01. By tailoring the funnel’s order, you and your teams can focus on the vulnerabilities that matter most to your organization, environments, or regulatory obligations, making remediation efforts more effective and aligned with your specific needs.

1. GitHub에서 조직의 기본 페이지로 이동합니다.

2. 조직 이름에서 보안을 클릭합니다.

   

3. In the sidebar, under "Metrics", click Dependabot dashboard.

4. On the top right of the "Alert prioritization" graph, click .

5. In the "Configure funnel order" dialog, move the criteria as desired.

6. Once you're done, click Move to save your changes.