How to GET the list of dependabot alerts via GitHub API?

Question

How can I GET the list of dependabot alerts available at https://github.com/{user}/{repo}/security/dependabot?page=1&q=is%3Aopen via the GitHub API?

I searched through the documentation but couldn't find anything there.

Thanks!

Answer 1

There is this RepositoryVulnerabilityAlert object available with the Graphql API.

For example for a specific repository, you can get all the alerts with the following query (check this out in the explorer) :

{
    repository(name: "repo-name", owner: "repo-owner") {
        vulnerabilityAlerts(first: 100) {
            nodes {
                createdAt
                dismissedAt
                securityVulnerability {
                    package {
                        name
                    }
                    advisory {
                        description
                    }
                }
            }
        }
    }
}

It also returns alerts that were dismissed which can be spotted using the dismissedAt field. But there doesn't seem to be a way to filter only "active" alerts

Sample output:

{
  "data": {
    "repository": {
      "vulnerabilityAlerts": {
        "nodes": [
          {
            "createdAt": "2018-03-05T19:13:26Z",
            "dismissedAt": null,
            "securityVulnerability": {
              "package": {
                "name": "moment"
              },
              "advisory": {
                "description": "Affected versions of `moment` are vulnerable to a low severity regular expression denial of service when parsing dates as strings.\n\n\n## Recommendation\n\nUpdate to version 2.19.3 or later."
              }
            }
          },
          ....
        ]
      }
    }
  }
}