Ensure the critical alert with a dependency affected by a security vulnerability is resolved. Dependabot alerts tell you when your code depends on a package that is insecure. You should upgrade to a secure version of the package as soon as possible. If your code depends on a package with a security vulnerability, this can cause a range of problems for your project or the people who use it. Using a vulnerable package makes you a soft target for malicious users looking to exploit your system. Learn more: https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#reviewing-and-fixing-alerts https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security
1. Go to your Repository -> Security tab. 2. In the 'Vulnerability alerts' section of the sidebar, select 'Dependabot' section. 3. On top of the list, search and select the high alert. 4. Review and fix the alert.
{
"target": "GHRepositoryVulnerabilityAlert",
"if": {
"allOf": [
{
"resource": "GHRepositoryVulnerabilityAlert",
"property": "SecurityVulnerability.Severity",
"operator": "equals",
"value": "HIGH"
},
{
"resource": "GHRepositoryVulnerabilityAlert",
"property": "State",
"operator": "notEquals",
"value": "OPEN"
}
]
},
"then": {
"effect": "Audit"
}
}Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions