API users can now integrate with a new dependabot_alert webhook, which matches the naming and structure of the recently introduced Dependabot alerts REST API. You should use this webhook in place of the existing repository_vulnerability_alert.
What’s new
Improvements with the new webhook include:
- More informative payload, including state and scope of the dependency, dismissal comments, and helpful information about a vulnerability (e.g. CVE ID, summary, description, CWEs, and reference URL).
- Support for GitHub Apps with the Dependabot alerts
readpermission. - Actions on an alert now include the full set of
created,dismissed,reopened,fixed, orreintroduced. See below for descriptions:
| Action | Action definition |
|---|---|
created |
github has opened the Dependabot alert |
dismissed |
GitHub user dismissed the alert with dismissed_reason and an optional dismissed_comment |
reopened |
GitHub user manually reopened the previously-dismissed alert |
fixed |
github detected the Dependabot alert is resolved |
reintroduced |
github reopened the previously-fixed alert |
Deprecation notice
The repository_vulnerability_alert webhook is being deprecated. In 2023, we plan to remove the existing repository_vulnerability_alert webhook, which is superseded by the dependabot_alert webhook. We will give integrators at least 3 months notice of this removal — keep an eye on the GitHub Changelog in 2023 for more information.
Learn more about the Dependabot alerts webhook in our documentation.