Open
Conversation
…l alerts The GitHub "Dependabot Security Updates Enabled" check previously passed whenever Dependabot was enabled on a repo, even when open high- or critical-severity alerts were waiting — hiding a real compliance risk behind a green checkmark. It now: - Accepts an `alert_severity_threshold` variable (default: `high`) so CX can configure what counts as a failure per connection. - Fails the check for the repo when open alerts at or above the threshold exist, using the highest actual severity present as the finding severity, and pointing the user at the repo's /security/dependabot page for remediation. - Preserves the transparent fallback when alert data cannot be fetched (e.g. 403) — no alert signal means no pass/fail regression. Severity helpers split into `dependabot-alert-severity.ts` for focused unit testing; the main check stays a single-responsibility orchestrator.
fix(integration-platform): fail Dependabot check on open high/critical alerts
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
The automation-run detail card in Compliance → Task → Integration Checks rendered a "View Evidence" expandable JSON tree for every *passing* result but never for a *failing* one — even though the backend saves the same `evidence` payload for both and the API returns it identically. After the Dependabot severity-gating change (#2643), failing runs surface useful context in their evidence (open_by_severity breakdown, checked_at, etc.) that users need to understand *why* the check failed. Hiding it behind a UI inconsistency defeats that. Mirror the passing block's `details > EvidenceJsonView` pattern onto the findings map so both states render identically.
fix(app): show evidence block for failed automation runs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Update the Dependabot check to fail only when a repo has open alerts at or above a configurable severity threshold (default:
high). Also show the evidence block for failed automation runs in the Compliance task UI.New Features
alert_severity_threshold(defaulthigh) to control when the check fails.dependabot-alert-severity.ts) and unit tests.Bug Fixes
Written for commit 0a77112. Summary will update on new commits.