| title | Prioritizing Dependabot and code scanning alerts using production context | ||||
|---|---|---|---|---|---|
| shortTitle | Prioritize alerts in production code | ||||
| intro | Focus remediation on real risk by targeting {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_code_scanning %} alerts in artifacts deployed to production, using metadata from external systems and integrations like Dynatrace, JFrog Artifactory, {% data variables.product.prodname_microsoft_defender %}, or your own CI/CD workflows. | ||||
| versions |
|
||||
| contentType | tutorials | ||||
| redirect_from |
|
||||
| category |
|
Application Security (AppSec) managers are often overwhelmed by a high volume of alerts, many of which may not represent real risk because the affected code never makes it to production. By associating production context with your alerts, you can filter and prioritize vulnerabilities that impact artifacts actually approved for production environments. This enables your team to focus remediation efforts on the vulnerabilities that matter most, reducing noise and improving your security posture.
{% data variables.product.github %}'s {% data variables.product.virtual_registry %} allows you to provide production context for your company's builds using the REST API or a partner integration. Teams can then use this context to prioritize {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_code_scanning %} alerts. For more information, see AUTOTITLE.
To provide production context, you should configure your system to:
- Update storage records in the {% data variables.product.virtual_registry %} whenever an artifact is promoted to a production-approved package repository.
- Update deployment records when an artifact is deployed to a production environment.
{% data variables.product.github %} processes this metadata and uses it to power alert filters, such as artifact-registry-url and artifact-registry from storage records, and has:deployment and runtime-risk from deployment records. Runtime risks from deployment records are also visible as properties on individual {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_dependabot %} alert pages.
For more information on updating records, see AUTOTITLE.
Production context filters are made available in the {% data variables.product.prodname_security_and_quality_tab %} tab.
- {% data variables.product.prodname_dependabot %} view: See AUTOTITLE.
- {% data variables.product.prodname_code_scanning_caps %} view: See AUTOTITLE.
- Security campaign view: See AUTOTITLE.
Once the alert list is displayed, use the artifact-registry-url or artifact-registry filters in organization views to focus on vulnerabilities affecting artifacts present in production.
-
For your own artifact repository that is hosted at
my-registry.example.com, you would use:artifact-registry-url:my-registry.example.com -
If you use JFrog Artifactory, you can use
artifact-registrywith no further setup in {% data variables.product.github %}:artifact-registry:jfrog-artifactory
You can also use the has:deployment and runtime-risk filters to focus on vulnerabilites that deployment metadata shows as in deployment or at risk of runtime vulnerabilities. This data is populated automatically if you have connected {% data variables.product.prodname_mdc %}. For example:
-
To focus on alerts in deployed code that is exposed to the internet, you would use:
has:deployment AND runtime-risk:internet-exposed
You can also combine these production context filters with other filters, such as EPSS:
epss > 0.5 AND artifact-registry-url:my-registry.example.com
Now you have identified the alerts that put your production code at risk of exploitation, you need to remediate them as a matter of urgency. Where possible use automation to lower the barrier to remediation.