Ensure there are no Dependabot alerts for your repository with a dependency affected by a security vulnerability. Dependabot alerts tell you when your code depends on a package that is insecure. You should upgrade to a secure version of the package as soon as possible. If your code depends on a package with a security vulnerability, this can cause a range of problems for your project or the people who use it. Using a vulnerable package makes you a soft target for malicious users looking to exploit your system. Learn more: https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security
1. Go to your Repository -> Security tab. 2. In the 'Vulnerability alerts' section of the sidebar, select 'Dependabot' section. 3. On top of the list, click on 'Severity' filter. 4. Ensure there are no 'High' alerts for your repository.
{
"target": "GHRepositoryVulnerabilityAlerts",
"if": {
"allOf": [
{
"resource": "GHRepositoryVulnerabilityAlerts",
"property": "VulnerabilityAlerts.TotalHigh",
"operator": "equals",
"value": 0
}
]
},
"then": {
"effect": "Audit"
}
}Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions