注意
Production context is in 公共预览版 and subject to change.
Prioritizing Dependabot alerts using production context
Application Security (AppSec) managers are often overwhelmed by a high volume of Dependabot alerts, many of which may not represent real risk because the affected code never makes it to production. By associating production context with your alerts, you can filter and prioritize vulnerabilities that impact artifacts actually approved for production environments. This enables your team to focus remediation efforts on the vulnerabilities that matter most, reducing noise and improving your security posture.
Associating production context with Dependabot alerts
GitHub enables production context for your Dependabot alerts by providing a Storage Record API. This API allows package registries or GitOps workflows to send artifact lifecycle data to GitHub. The API should be called whenever an artifact is promoted to a production-approved package repository.
GitHub processes this metadata and uses it to power new alert filters, such as artifact-registry-url and artifact-registry. For more information, see Create artifact metadata storage record in the REST API documentation.
Steps to prioritize alerts
Follow these steps to enable and use production context for alert prioritization:
Step 1: Detect and report production artifact promotions
In your CI/CD or GitOps workflow, whenever an artifact is promoted to a production-approved package repository, call the Storage Record API to to send the artifact's metadata to GitHub. This includes information such as the artifact's registry, repository, and version. See Artifact metadata.
If you use JFrog Artifactory, you do not need to perform any custom integration. Artifactory natively integrates with the Storage Record API. You only need to enable the integration in your Artifactory settings, and Artifactory will automatically emit production promotion events to GitHub.
The artifact-registry:jfrog-artifactory filter will work out of the box with no further setup in GitHub. For setup instructions, see JFrog and GitHub Integration: JFrog for [GitHub Dependabot] in the JFrog documentation.
Step 2: Use production context filters
你可以在存储库的 Dependabot alerts 选项卡中查看所有打开和关闭的 Dependabot alerts 以及对应的 Dependabot security updates。. For information about accessing this tab, see Viewing Dependabot alerts.
Once the alert list is displayed, use the artifact-registry-url or artifact-registry filters to focus on vulnerabilities affecting artifacts present in production. For example:
artifact-registry-url:my-registry.example.com
artifact-registry:jfrog-artifactory
You can also combine these with other filters, such as EPSS.
epss > 0.5 AND artifact-registry-url:my-registry.example.com