After launching Dependabot's auto-dismiss policies a few months ago to reduce the number of false positive alerts, GitHub is now adding custom rules support for developers to define the criteria to auto-dismiss and reopen alerts.
While solutions like Dependabot promise to help improve security by automatically identifying vulnerabilities in a project's dependencies, all comes at a price. With Dependabot this is related to the number of false positive the system may generate, i.e., alerts that do not correspond to a real threat but still require a developer's attention for manual assessment and triage. False positives include vulnerabilities that are unlikely to be exploited or glitches in the system associated to long-running builds or tests.
In fact, this has led to the creation of the notion of "alert fatigue", whereas, according to GitHub, at least one in ten alerts are false positives. Paradoxically, alert fatigue could distract developers from addressing real vulnerabilities. To mitigate this situation, GitHub introduced a number of general policies aimed to reduce the volume of false positives by dismissing low impact issues for development-scoped dependencies (a.k.a, devDependencies in the npm world).
Encouraged by developers' adoption of the new feature, GitHub is now making a further step in the direction of reducing alert fatigue by enabling the definition of custom rules to control how Dependabot auto-dismisses alerts. This includes two new options, which will either dismiss or snooze an alert until a patch is available or indefinitely.
When defining a rule, developers specify a set of criteria that determine when the rule applies. This include the package name, the vulnerability severity, the ecosystem, the manifest, the scope, and the security advisories. When a rule matches, the alert will be dismissed, either indefinitely or until a patch is available.
In the initial release, rules can be defined on a repository-by-repository base, with organization-level rules coming soon, say GitHub. In the future, auto-dismiss rules will expand metadata that can be used as well as available remediation flows, additionally say the organization.
Custom auto-triage rules are available for free on all public repositories, and at a premium for private repositories.
Dependabot, introduced in 2019, is able to scan a project's dependencies for any vulnerabilities and automatically open PRs for each of them, allowing maintainers to fix security vulnerabilities by simply merging those PRs.