5

I've gone through Github Rest API v3 and Github GraphQL API v4 but I'm unable to find a resource/endpoint to check if dependabot is enabled via the API? I've gone through loads of documentation but was unable to find anything helpful. Could someone please point me to the correct document or tell me which resource to use? Thanks!

Karan Tikku
  • 197
  • 12
  • 1
    There was a [dependabot API docs](https://github.com/dependabot/api-docs) that could have helped, but it was deprecated today (August 3rd 2021). However, a workaround would be to check if the `dependabot.yml` file is present in your repository or not ([reference](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-version-updates)) using GET to `api.github.com/repos/name/repo/contents/fileNameOrPath`. – GuiFalourd Aug 03 '21 at 15:12

4 Answers4

8

Now that Dependabot is merged into GitHub, there are three different features that can be enabled in addition to the dependency graph itself: two in the Security & analysis section of the settings, and the last in the Dependency graph section of the Insights tab of a given GitHub repo:

  • Dependabot alerts: will security alerts be generated?
  • Dependabot security updates: will pull requests be generated by the discovery of vulnerable dependencies?
  • Dependabot version updates: will pull requests be generated whenever a new version of a dependency becomes available?

(All require Dependency graph to also be enabled--and for a repo to have at least one supported package ecosystem file)

Checking if Dependabot alerts are enabled

According to the GitHub REST API Reference, you can check whether Dependabot alerts are enabled via the GitHub REST API at the following endpoint: https://api.github.com/repos/{owner}/{repo}/vulnerability-alerts

A 204 response confirms the feature is enabled, a 404 means it is not.

Checking if Dependabot security updates are enabled

Curiously, the GitHub REST API Reference lists requests to enable or disable the feature, but not to get the current status of the feature for a given repo, and I have not been able to satisfactorily find how to get that information from the REST or GraphQL API.

GuiFalourd's answer mentions using the GraphQL API to check for the presence of a .github/dependabot.yml file. Unfortunately that isn't a 1-to-1 relationship with security updates: the file could be present without security updates enabled, or could be absent when security updates are enabled. The dependabot.yml file is used for version updates, which is related but not the same thing.

You could always use the REST API enable security updates request to ensure the feature is on, but that is not at all the same as querying its current status for a repo. If anyone does discover a way to do this without page scraping, or if GitHub adds the ability to check in the future please let me know!

Checking if Dependabot version updates are enabled

Again, this is not the same as security updates, but depending on your policy/practices it may be a 1-to-1 relationship. Use something like the following against the Graph endpoint https://api.github.com/graphql

Query

{
    repository(name: "{repo}", owner: "{owner}") {
        object(expression: "HEAD:.github/") {
            ... on Tree {
                entries {
                    name
                }
            }
        }
    }
}

Response if file is present:

{
    "data": {
        "repository": {
            "object": {
                "entries": [
                    {
                        "name": "dependabot.yml"
                    }
                ]
            }
        }
    }
}

Response if file is not present:

{
    "data": {
        "repository": {
            "object": null
        }
    }
}
epopisces
  • 111
  • 2
  • 6
  • 1
    I appreciate the thoroughness of this answer. I really wish there was a way to get the status of the alerts through the graphql api. – Jacob Dalton Jan 21 '22 at 00:04
  • You can get that information from https://docs.github.com/en/graphql/reference/objects#repositoryvulnerabilityalert Look for the `state` property. – Karan Tikku May 18 '22 at 04:02
0

There was a dependabot API docs that could have helped, but it was deprecated in August 3rd 2021.

However, a workaround would be to check if the dependabot.yml file is present in your repository or not using a GET request to api.github.com/repos/name/repo/contents/fileNameOrPath.

Reference about the dependabot.yml file

GuiFalourd
  • 15,523
  • 8
  • 44
  • 71
0

Answer by @epopisces is to the point , I was also looking for the same thing. Now addition to what he said. Checking the status of Dependabot security updates is possible via GET request (GET /repos/{owner}/{repo}) to a particular repo , which can have security and analysis tag in response(only if we have Advanced security license). No other way to know the status yet via API.

https://docs.github.com/en/rest/reference/repos#get-a-repository

Malacophonous
  • 77
  • 1
  • 1
  • 4
0

As of 2023-01-10 the Repository object type now exposes a hasVulnerabilityAlertsEnabled field in the GraphQL API. So, for example, the following query:

{
  repository(name: "platform-samples", owner: "github") {
    id
    hasVulnerabilityAlertsEnabled
  }
}

Gives the following result:

{
  "data": {
    "repository": {
      "id": "MDEwOlJlcG9zaXRvcnk4NDQ1ODc3",
      "hasVulnerabilityAlertsEnabled": true
    }
  }
}

Sadly, this still won't tell you if Security Updates are enabled but you can at least find out if Alerts are turned on.

Adam Cooper
  • 8,077
  • 2
  • 33
  • 51