[EDI] Dependabot "low impact" preset rule (#59729)

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Author: isaacmbrown

content/code-security/concepts/supply-chain-security/about-dependabot-auto-triage-rules.md

@@ -1,6 +1,6 @@
 ---
 title: About Dependabot auto-triage rules
-intro: '{% data variables.dependabot.auto_triage_rules %} are a powerful tool to help you better manage your security alerts at scale. {% data variables.dependabot.github_presets %} are rules curated by {% data variables.product.company_short %} that you can use to filter out a substantial amount of false positives. {% data variables.dependabot.custom_rules_caps %} provide control over which alerts are ignored, snoozed, or trigger a {% data variables.product.prodname_dependabot %} security update to resolve the alert.'
+intro: 'Control how {% data variables.product.prodname_dependabot %} handles security alerts, including filtering, ignoring, snoozing, or triggering security updates.'
 product: '{% data reusables.gated-features.dependabot-auto-triage-rules %}'
 versions:
   fpt: '*'
@@ -35,9 +35,18 @@ There are two types of {% data variables.dependabot.auto_triage_rules %}:
 > [!NOTE]
 > {% data reusables.dependabot.dependabot-github-preset-auto-triage-rules %}
 
-{% data variables.dependabot.github_presets %} are rules curated by {% data variables.product.company_short %}. {% data reusables.dependabot.dismiss-low-impact-rule %}
+{% data variables.dependabot.github_presets %} are rules curated by {% data variables.product.company_short %}.
 
-The rule is enabled by default for public repositories and can be opted into for private repositories. You can enable the rule for a private repository via the **Settings** tab for the repository. For more information, see [Enabling the `Dismiss low impact issues for development-scoped dependencies` rule for your private repository](/code-security/dependabot/dependabot-auto-triage-rules/using-github-preset-rules-to-prioritize-dependabot-alerts#enabling-the-dismiss-low-impact-issues-for-development-scoped-dependencies-rule-for-your-private-repository).
+{% data reusables.dependabot.dismiss-low-impact-rule %} These alerts cover cases that feel like false alarms to most developers as the associated vulnerabilities:
+
+* Are unlikely to be exploitable in a developer (non-production or runtime) environment.
+* May relate to resource management, programming and logic, and information disclosure issues.
+* At worst, have limited effects like slow builds or long-running tests.
+* Are not indicative of issues in production.
+
+The rule is enabled by default for public repositories and can be opted into for private repositories. For instructions, see [Enabling the `Dismiss low impact issues for development-scoped dependencies` rule for your private repository](/code-security/dependabot/dependabot-auto-triage-rules/using-github-preset-rules-to-prioritize-dependabot-alerts#enabling-the-dismiss-low-impact-issues-for-development-scoped-dependencies-rule-for-your-private-repository).
+
+For more information about the criteria used by the rule, see [AUTOTITLE](/code-security/reference/supply-chain-security/criteria-for-preset-rules).
 
 ### About {% data variables.dependabot.custom_rules %}
 

content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/using-github-preset-rules-to-prioritize-dependabot-alerts.md

@@ -1,6 +1,6 @@
 ---
 title: Using GitHub preset rules to prioritize Dependabot alerts
-intro: You can use {% data variables.dependabot.github_presets %}, which are rules curated by {% data variables.product.company_short %}, to auto-dismiss low impact development alerts for npm dependencies.
+intro: Focus on alerts that matter by auto-dismissing low impact development alerts for npm dependencies.
 permissions: '{% data reusables.permissions.dependabot-github-presets %}'
 versions:
   fpt: '*'
@@ -20,23 +20,9 @@ redirect_from:
 contentType: how-tos
 ---
 
-## About {% data variables.dependabot.github_presets %}
+{% data reusables.dependabot.dismiss-low-impact-rule %} For more information about the rule, see [AUTOTITLE](/code-security/concepts/supply-chain-security/about-dependabot-auto-triage-rules#about-github-presets).
 
-The `Dismiss low impact issues for development-scoped dependencies` rule is a {% data variables.product.company_short %} preset that auto-dismisses certain types of vulnerabilities that are found in npm dependencies used in development. These alerts cover cases that feel like false alarms to most developers as the associated vulnerabilities:
-
-* Are unlikely to be exploitable in a developer (non-production or runtime) environment.
-* May relate to resource management, programming and logic, and information disclosure issues.
-* At worst, have limited effects like slow builds or long-running tests.
-* Are not indicative of issues in production.
-
-> [!NOTE]
-> Automatic dismissal of low impact development alerts is currently only supported for npm.
-
-The `Dismiss low impact issues for development-scoped dependencies` rule includes vulnerabilities relating to resource management, programming and logic, and information disclosure issues. For more information, see [Publicly disclosed CWEs used by the `Dismiss low impact issues for development-scoped dependencies` rule](#publicly-disclosed-cwes-used-by-the-dismiss-low-impact-issues-for-development-scoped-dependencies-rule).
-
-Filtering out these low impact alerts allows you to focus on alerts that matter to you, without having to worry about missing potentially high-risk development-scoped alerts.
-
-The `Dismiss low impact issues for development-scoped dependencies` rule is enabled by default on public repositories and disabled for private repositories. Administrators of private repositories can opt in by enabling the rule for their repository.
+This rule is enabled by default on public repositories and disabled for private repositories. Administrators of private repositories can opt in by enabling the rule for their repository.
 
 ## Enabling the `Dismiss low impact issues for development-scoped dependencies` rule for your private repository
 
@@ -52,39 +38,3 @@ The `Dismiss low impact issues for development-scoped dependencies` rule is enab
 1. Under "{% data variables.product.company_short %} presets", to the right of "Dismiss low impact issues for development-scoped dependencies", click {% octicon "pencil" aria-label="Edit rule" %}.
 1. Under "State", select the dropdown menu, then click "Enabled".
 1. Click **Save rule**.
-
-## Publicly disclosed CWEs used by the `Dismiss low impact issues for development-scoped dependencies` rule
-
-Along with the `ecosystem:npm` and `scope:development` alert metadata, we use the following {% data variables.product.company_short %}-curated Common Weakness Enumerations (CWEs) to filter out low impact alerts for the `Dismiss low impact issues for development-scoped dependencies` rule. We regularly improve this list and vulnerability patterns covered by built-in rules.
-
-### Resource Management Issues
-
-* CWE-400 Uncontrolled Resource Consumption
-* CWE-770 Allocation of Resources Without Limits or Throttling
-* CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
-* CWE-908 Use of Uninitialized Resource
-* CWE-1333 Inefficient Regular Expression Complexity
-* CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
-* CWE-674 Uncontrolled Recursion
-* CWE-1119 Excessive Use of Unconditional Branching
-
-### Programming and Logic Errors
-
-* CWE-185 Incorrect Regular Expression
-* CWE-754 Improper Check for Unusual or Exceptional Conditions
-* CWE-755 Improper Handling of Exceptional Conditions
-* CWE-248 Uncaught Exception
-* CWE-252 Unchecked Return Value
-* CWE-391 Unchecked Error Condition
-* CWE-696 Incorrect Behavior Order
-* CWE-1254 Incorrect Comparison Logic Granularity
-* CWE-665 Improper Initialization
-* CWE-703 Improper Check or Handling of Exceptional Conditions
-* CWE-178 Improper Handling of Case Sensitivity
-
-### Information Disclosure Issues
-
-* CWE-544 Missing Standardized Error Handling Mechanism
-* CWE-377 Insecure Temporary File
-* CWE-451 User Interface (UI) Misrepresentation of Critical Information
-* CWE-668 Exposure of Resource to Wrong Sphere

content/code-security/reference/supply-chain-security/criteria-for-preset-rules.md

@@ -0,0 +1,54 @@
+---
+title: CWEs used by GitHub's preset Dependabot rules
+intro: '{% data variables.product.github %} uses industry-standard criteria to help you filter {% data variables.product.prodname_dependabot_alerts %}.'
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '*'
+topics:
+  - Dependabot
+  - Version updates
+  - Repositories
+  - Dependencies
+  - Pull requests
+shortTitle: Criteria for preset rules
+contentType: reference
+---
+
+## `Dismiss low impact issues for development-scoped dependencies`
+
+{% data reusables.dependabot.dismiss-low-impact-rule %}
+
+Along with the `ecosystem:npm` and `scope:development` alert metadata, we use the following {% data variables.product.company_short %}-curated Common Weakness Enumerations (CWEs) to filter out low impact alerts for the `Dismiss low impact issues for development-scoped dependencies` rule. We regularly improve this list and vulnerability patterns covered by built-in rules.
+
+### Resource Management Issues
+
+* CWE-400 Uncontrolled Resource Consumption
+* CWE-770 Allocation of Resources Without Limits or Throttling
+* CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
+* CWE-908 Use of Uninitialized Resource
+* CWE-1333 Inefficient Regular Expression Complexity
+* CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
+* CWE-674 Uncontrolled Recursion
+* CWE-1119 Excessive Use of Unconditional Branching
+
+### Programming and Logic Errors
+
+* CWE-185 Incorrect Regular Expression
+* CWE-754 Improper Check for Unusual or Exceptional Conditions
+* CWE-755 Improper Handling of Exceptional Conditions
+* CWE-248 Uncaught Exception
+* CWE-252 Unchecked Return Value
+* CWE-391 Unchecked Error Condition
+* CWE-696 Incorrect Behavior Order
+* CWE-1254 Incorrect Comparison Logic Granularity
+* CWE-665 Improper Initialization
+* CWE-703 Improper Check or Handling of Exceptional Conditions
+* CWE-178 Improper Handling of Case Sensitivity
+
+### Information Disclosure Issues
+
+* CWE-544 Missing Standardized Error Handling Mechanism
+* CWE-377 Insecure Temporary File
+* CWE-451 User Interface (UI) Misrepresentation of Critical Information
+* CWE-668 Exposure of Resource to Wrong Sphere

content/code-security/reference/supply-chain-security/index.md

@@ -25,6 +25,7 @@ children:
   - /dependabot-security-updates
   - /dependency-graph-supported-package-ecosystems
   - /dependabot-on-actions
+  - /criteria-for-preset-rules
   - /troubleshoot-dependabot
 redirect_from:
   - /code-security/dependabot/ecosystems-supported-by-dependabot

data/reusables/dependabot/dismiss-low-impact-rule.md

@@ -1 +1 @@
-The `Dismiss low impact issues for development-scoped dependencies` is a {% data variables.product.company_short %} preset rule. This rule auto-dismisses certain types of vulnerabilities that are found in npm dependencies used in development. The rule has been curated to reduce false positives and reduce alert fatigue. You cannot modify {% data variables.dependabot.github_presets %}. For more information about {% data variables.dependabot.github_presets %}, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/using-github-preset-rules-to-prioritize-dependabot-alerts).
+The `Dismiss low impact issues for development-scoped dependencies` rule is a {% data variables.product.company_short %} preset that auto-dismisses certain types of vulnerabilities that are found in npm dependencies used in development.