You can use security overview to see how many Dependabot alerts are in repositories across your organization, to prioritize the most critical alerts to fix, and to identify repositories where you may need to take action.
Who can use this feature?Access requires:
Organizations owned by a GitHub Team account with GitHub Code Security, or owned by a GitHub Enterprise account with GitHub Code Security
About metrics for DependabotThe metrics overview for Dependabot provides valuable insights for both developers and application security (AppSec) managers. The data in the Dependabot dashboard page contains a vulnerability prioritization funnel that helps with efficiently prioritizing, remediating, and tracking vulnerabilities across multiple repositories. This ensures that the most critical risks are addressed first and that security improvements can be measured over time.
For more information about how AppSec managers can best use these metrics to optimize alert fixing, see Prioritizing Dependabot alerts using metrics.
You can see Dependabot metrics if you have:
admin role for the repository.The available metrics combine severity, exploitability, and patch availability, and help in the following ways:
Alert prioritization: the chart shows the number of open Dependabot alerts. You can use filters, such as availability of patches, severity, EPSS score to narrow down the list of alerts to those matching the criteria. See Dependabot dashboard view filters.
Remediation tracking: The “Alerts closed” tile shows the number of alerts fixed with Dependabot, manually dismissed, and auto dismissed, providing visibility into remediation performance and trends. The tile also shows the percent increase in the number of alerts closed in the last 30 days.
Highest-risk package: The "Most vulnerabilities" tile shows the dependency that has the most vulnerabilities in the organization. The tile also provides a link to the related alerts across all your repositories.
Repository-level breakdown: The table shows a breakdown of open alerts by repository, including counts by severity (critical, high, medium, low) and by exploitability (for example, EPSS > 1%), and can be sorted by each column. This helps you identify which projects are most at risk, prioritize remediation efforts where they matter most, and track progress over time at a granular level.
These metrics help managers measure the effectiveness of their vulnerability management and ensure compliance with organizational or regulatory timelines.
On GitHub, navigate to the main page of the organization.
Under your organization name, click Security.
In the sidebar, under "Metrics", click Dependabot dashboard.
Optionally, use the filters at your disposal, or build your own filters. See Dependabot dashboard view filters.
Optionally, click on a number on the x-axis of the chart to filter the alert list by the relevant criteria (for example has:patch severity:critical,high epss_percentage:>=0.01).
Optionally, click on an individual repository to see the associated Dependabot alerts.
The default funnel order is has:patch, severity:critical,high, epss_percentage>=0.01. By tailoring the funnel’s order, you and your teams can focus on the vulnerabilities that matter most to your organization, environments, or regulatory obligations, making remediation efforts more effective and aligned with your specific needs.
On GitHub, navigate to the main page of the organization.
Under your organization name, click Security.
In the sidebar, under "Metrics", click Dependabot dashboard.
On the top right of the "Alert prioritization" graph, click .
In the "Configure funnel order" dialog, move the criteria as desired.
Once you're done, click Move to save your changes.
Tip
You can reset the funnel order back to the default settings by clicking Reset to default to the right of the graph.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4