feat(github): add Dependabot alert interface and enhance alert counting (#1997)

github-actions[bot] · tofikwest · web-flow · commit 4d554a42c4e2 · 2026-01-12T10:15:45.000-05:00
Co-authored-by: Tofik Hasanov &lt;annexcies@gmail.com&gt;
diff --git a/packages/integration-platform/src/manifests/github/checks/dependabot.ts b/packages/integration-platform/src/manifests/github/checks/dependabot.ts
@@ -1,13 +1,27 @@
 /**
  * Dependabot Check
  * Verifies that Dependabot security updates are enabled on repositories
+ * and reports the count of open/closed security alerts.
  */
 
 import { TASK_TEMPLATES } from '../../../task-mappings';
 import type { IntegrationCheck } from '../../../types';
-import type { GitHubOrg, GitHubRepo } from '../types';
+import type { GitHubDependabotAlert, GitHubOrg, GitHubRepo } from '../types';
 import { targetReposVariable } from '../variables';
 
+interface AlertCounts {
+  open: number;
+  dismissed: number;
+  fixed: number;
+  total: number;
+  bySeverity: {
+    critical: number;
+    high: number;
+    medium: number;
+    low: number;
+  };
+}
+
 export const dependabotCheck: IntegrationCheck = {
   id: 'dependabot_enabled',
   name: 'Dependabot Security Updates Enabled',
@@ -43,30 +57,128 @@ export const dependabotCheck: IntegrationCheck = {
 
     ctx.log(`Checking ${repos.length} repositories for Dependabot`);
 
+    /**
+     * Fetch Dependabot alerts for a repository and calculate counts
+     */
+    const fetchAlertCounts = async (repoFullName: string): Promise<AlertCounts | null> => {
+      try {
+        const alerts = await ctx.fetchAllPages<GitHubDependabotAlert>(
+          `/repos/${repoFullName}/dependabot/alerts`,
+        );
+
+        const counts: AlertCounts = {
+          open: 0,
+          dismissed: 0,
+          fixed: 0,
+          total: alerts.length,
+          bySeverity: { critical: 0, high: 0, medium: 0, low: 0 },
+        };
+
+        for (const alert of alerts) {
+          // Count by state
+          if (alert.state === 'open') counts.open++;
+          else if (alert.state === 'dismissed') counts.dismissed++;
+          else if (alert.state === 'fixed') counts.fixed++;
+
+          // Count open alerts by severity
+          if (alert.state === 'open') {
+            const severity = alert.security_vulnerability?.severity ?? 'low';
+            counts.bySeverity[severity]++;
+          }
+        }
+
+        return counts;
+      } catch (error) {
+        const errorStr = String(error);
+        // 403 usually means Dependabot alerts are not enabled or no permission
+        if (errorStr.includes('403') || errorStr.includes('Forbidden')) {
+          ctx.log(`Cannot access Dependabot alerts for ${repoFullName} (permission denied)`);
+          return null;
+        }
+        ctx.warn(`Failed to fetch Dependabot alerts for ${repoFullName}: ${errorStr}`);
+        return null;
+      }
+    };
+
+    /**
+     * Format alert counts for display
+     */
+    const formatAlertSummary = (counts: AlertCounts): string => {
+      const parts: string[] = [];
+
+      if (counts.open > 0) {
+        const severityBreakdown: string[] = [];
+        if (counts.bySeverity.critical > 0)
+          severityBreakdown.push(`${counts.bySeverity.critical} critical`);
+        if (counts.bySeverity.high > 0) severityBreakdown.push(`${counts.bySeverity.high} high`);
+        if (counts.bySeverity.medium > 0)
+          severityBreakdown.push(`${counts.bySeverity.medium} medium`);
+        if (counts.bySeverity.low > 0) severityBreakdown.push(`${counts.bySeverity.low} low`);
+
+        parts.push(`${counts.open} open (${severityBreakdown.join(', ')})`);
+      } else {
+        parts.push('0 open');
+      }
+
+      parts.push(`${counts.fixed} fixed`);
+      parts.push(`${counts.dismissed} dismissed`);
+
+      return parts.join(', ');
+    };
+
     for (const repo of repos) {
       const dependabotStatus = repo.security_and_analysis?.dependabot_security_updates?.status;
 
+      // Fetch alert counts regardless of Dependabot status
+      const alertCounts = await fetchAlertCounts(repo.full_name);
+
       if (dependabotStatus === 'enabled') {
+        const alertSummary = alertCounts
+          ? `\n\nAlert Summary: ${formatAlertSummary(alertCounts)}`
+          : '';
+
         ctx.pass({
           title: `Dependabot enabled on ${repo.name}`,
-          description:
-            'Dependabot security updates are enabled and will automatically create pull requests to fix vulnerable dependencies.',
+          description: `Dependabot security updates are enabled and will automatically create pull requests to fix vulnerable dependencies.${alertSummary}`,
           resourceType: 'repository',
           resourceId: repo.full_name,
           evidence: {
             security_and_analysis: repo.security_and_analysis,
+            ...(alertCounts && {
+              alerts: {
+                open: alertCounts.open,
+                fixed: alertCounts.fixed,
+                dismissed: alertCounts.dismissed,
+                total: alertCounts.total,
+                open_by_severity: alertCounts.bySeverity,
+              },
+            }),
             checked_at: new Date().toISOString(),
           },
         });
       } else {
+        const alertSummary = alertCounts
+          ? `\n\nAlert Summary: ${formatAlertSummary(alertCounts)}`
+          : '';
+
         ctx.fail({
           title: `Dependabot not enabled on ${repo.name}`,
-          description:
-            'Dependabot security updates are not enabled, leaving the repository vulnerable to known dependency exploits.',
+          description: `Dependabot security updates are not enabled, leaving the repository vulnerable to known dependency exploits.${alertSummary}`,
           resourceType: 'repository',
           resourceId: repo.full_name,
           severity: 'medium',
           remediation: `1. Go to ${repo.html_url}/settings/security_analysis\n2. Enable "Dependabot security updates"\n3. Optionally enable "Dependabot version updates" for proactive updates`,
+          evidence: alertCounts
+            ? {
+                alerts: {
+                  open: alertCounts.open,
+                  fixed: alertCounts.fixed,
+                  dismissed: alertCounts.dismissed,
+                  total: alertCounts.total,
+                  open_by_severity: alertCounts.bySeverity,
+                },
+              }
+            : undefined,
         });
       }
     }
diff --git a/packages/integration-platform/src/manifests/github/types.ts b/packages/integration-platform/src/manifests/github/types.ts
@@ -111,3 +111,35 @@ export interface GitHubTreeEntry {
   size?: number;
   url: string;
 }
+
+/**
+ * Dependabot alert response
+ * Returned by /repos/{owner}/{repo}/dependabot/alerts
+ */
+export interface GitHubDependabotAlert {
+  number: number;
+  state: 'open' | 'dismissed' | 'fixed';
+  dependency: {
+    package: {
+      ecosystem: string;
+      name: string;
+    };
+    manifest_path: string;
+  };
+  security_advisory: {
+    ghsa_id: string;
+    cve_id: string | null;
+    summary: string;
+    severity: 'low' | 'medium' | 'high' | 'critical';
+  };
+  security_vulnerability: {
+    severity: 'low' | 'medium' | 'high' | 'critical';
+  };
+  created_at: string;
+  updated_at: string;
+  dismissed_at: string | null;
+  dismissed_by: { login: string } | null;
+  dismissed_reason: string | null;
+  fixed_at: string | null;
+  html_url: string;
+}
