[EDI] Viewing metrics for Dependabot alerts (#59421)

mchammer01 · web-flow · commit 34fd385c481e · 2026-02-05T16:24:53.000Z
diff --git a/content/code-security/concepts/supply-chain-security/about-metrics-for-dependabot-alerts.md b/content/code-security/concepts/supply-chain-security/about-metrics-for-dependabot-alerts.md
@@ -0,0 +1,80 @@
+---
+title: About metrics for Dependabot alerts
+intro: Use metrics to track and prioritize {% data variables.product.prodname_dependabot_alerts %} across your organization.
+versions:
+  feature: dependabot-metrics
+product: '{% data reusables.gated-features.security-overview-fpt-cs-only %}'
+permissions: '{% data reusables.permissions.security-overview-dependabot-metrics %}'
+topics:
+  - Security overview
+  - Code Security
+  - Dependabot
+  - Organizations
+  - Alerts
+  - Vulnerabilities
+shortTitle: Dependabot alert metrics
+contentType: concepts
+---
+
+Metrics for {% data variables.product.prodname_dependabot_alerts %} help you understand the security posture of your organization's dependencies and track progress in resolving vulnerabilities. You can use these metrics to prioritize remediation efforts and focus on the most critical security issues.
+
+Metrics for {% data variables.product.prodname_dependabot_alerts %} are available on your organization's security overview.
+
+## Who can view metrics
+
+You can see {% data variables.product.prodname_dependabot %} metrics if you have one of the permissions mentioned in the "Who can use this feature?" box at the top of the article.
+
+## Ways the data can help you
+
+The available metrics combine severity, exploitability, and patch availability to help you:
+
+* **Prioritize alerts**: Focus on the most critical vulnerabilities that need immediate attention based on severity, exploitability scores, and patch availability.
+* **Track remediation progress**: Monitor how quickly your organization resolves vulnerabilities and identify trends over time.
+* **Identify high-risk dependencies**: Quickly spot packages that pose the greatest security risk across your repositories.
+* **Make data-driven decisions**: Allocate resources effectively by understanding which repositories and vulnerabilities require the most attention.
+
+These metrics help both application security managers measure the effectiveness of their vulnerability management programs and developers identify which vulnerabilities they can fix immediately.
+
+## Alert prioritization
+
+The metrics dashboard shows the number of **open {% data variables.product.prodname_dependabot_alerts %}**. You can use filters such as availability of patches, severity, and EPSS score to narrow down the list of alerts to those matching specific criteria. {% data reusables.security-overview.dependabot-filters-link %}
+
+For more information about how AppSec managers can best use these metrics to optimize alert fixing, see [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/prioritizing-dependabot-alerts-using-metrics).
+
+Key metrics for prioritization include:
+
+* **Severity**: The impact level of a vulnerability (critical, high, medium, or low)
+* **Exploitability**: How easily a vulnerability can be exploited in practice, including EPSS scores
+* **Dependency relationship**: Whether the vulnerable dependency is direct or transitive (indirect)
+* **Dependency scope**: Whether the vulnerability affects runtime dependencies, development dependencies, or both
+* **Actual usage**: Whether the vulnerable code is actually used in your application
+* **Patch availability**: Whether a fix is available for the vulnerability
+
+## Alert resolution tracking
+
+You can monitor how your organization resolves {% data variables.product.prodname_dependabot_alerts %} over time. Alert resolution metrics show the number of alerts:
+
+* Fixed by {% data variables.product.prodname_dependabot %}
+* Manually dismissed
+* Auto-dismissed
+
+This tile also displays the percent increase in the number of alerts closed in the last 30 days, providing visibility into remediation performance and helping you identify trends in vulnerability remediation.
+
+## Highest-risk packages
+
+The "Most vulnerabilities" tile shows the dependency that has the most vulnerabilities in your organization, along with a link to the related alerts across all your repositories. This helps you quickly identify which dependencies pose the greatest risk.
+
+## Repository-level metrics
+
+The repository breakdown table shows a summary of open alerts by repository, including:
+
+* The total number of alerts per repository
+* Severity distribution (critical, high, medium, low)
+* Exploitability information (for example, EPSS > 1%)
+
+This table can be sorted by each column, helping you identify which repositories are most at risk and prioritize remediation efforts accordingly.
+
+## Further reading
+
+* [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-metrics-for-dependabot-alerts)
+* [AUTOTITLE](/code-security/tutorials/manage-security-alerts/prioritizing-dependabot-alerts-using-metrics)
diff --git a/content/code-security/concepts/supply-chain-security/index.md b/content/code-security/concepts/supply-chain-security/index.md
@@ -14,6 +14,7 @@ children:
   - about-the-dependency-graph
   - about-dependency-review
   - about-dependabot-alerts
+  - about-metrics-for-dependabot-alerts
   - about-dependabot-security-updates
   - about-dependabot-version-updates
   - about-dependabot-pull-requests
diff --git a/content/code-security/concepts/vulnerability-reporting-and-management/about-your-exposure-to-vulnerabilities-in-your-code-and-in-dependencies.md b/content/code-security/concepts/vulnerability-reporting-and-management/about-your-exposure-to-vulnerabilities-in-your-code-and-in-dependencies.md
@@ -39,7 +39,7 @@ Regularly assessing your exposure to vulnerabilities is good practice to help id
 
 * **{% data variables.product.prodname_dependabot %}** automatically monitors your project’s dependencies for vulnerabilities and outdated packages. When it detects a security issue or a new version, it creates pull requests to update the affected dependencies, helping you quickly address security risks and keep your software up to date. This reduces manual effort and helps ensure your project remains secure. See [AUTOTITLE](/code-security/getting-started/dependabot-quickstart-guide).
 
-{% data variables.product.github %} provides a comprehensive set of {% data variables.product.prodname_dependabot %} metrics to help you monitor, prioritize, and remediate these risks across all repositories in your organization. See [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-dependabot-alerts).
+{% data variables.product.github %} provides a comprehensive set of {% data variables.product.prodname_dependabot %} metrics to help you monitor, prioritize, and remediate these risks across all repositories in your organization. See [AUTOTITLE](/code-security/concepts/supply-chain-security/about-metrics-for-dependabot-alerts).
 
 ## Key tasks for AppSec managers
 
diff --git a/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-metrics-for-dependabot-alerts.md b/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-metrics-for-dependabot-alerts.md
@@ -5,7 +5,7 @@ allowTitleToDifferFromFilename: true
 intro: You can use security overview to see how many {% data variables.product.prodname_dependabot_alerts %} are in repositories across your organization, to prioritize the most critical alerts to fix, and to identify repositories where you may need to take action.
 versions:
   feature: dependabot-metrics
-permissions: '{% data reusables.permissions.security-overview %}'
+permissions: '{% data reusables.permissions.security-overview-dependabot-metrics %}'
 product: '{% data reusables.gated-features.security-overview-fpt-cs-only %}'
 contentType: how-tos
 topics:
@@ -19,31 +19,9 @@ redirect_from:
   - /code-security/security-overview/viewing-metrics-for-dependabot-alerts
 ---
 
-## About metrics for {% data variables.product.prodname_dependabot %}
+You can view metrics for {% data variables.product.prodname_dependabot_alerts %} to track and prioritize vulnerabilities across your organization. For more information about the available metrics and how to use them, see [AUTOTITLE](/code-security/concepts/supply-chain-security/about-metrics-for-dependabot-alerts).
 
-The metrics overview for {% data variables.product.prodname_dependabot %} provides valuable insights for both developers and application security (AppSec) managers. The data in the {% data variables.product.prodname_dependabot %} dashboard page contains a vulnerability prioritization funnel that helps with efficiently prioritizing, remediating, and tracking vulnerabilities across multiple repositories. This ensures that the most critical risks are addressed first and that security improvements can be measured over time.
-
-For more information about how AppSec managers can best use these metrics to optimize alert fixing, see [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/prioritizing-dependabot-alerts-using-metrics).
-
-You can see  {% data variables.product.prodname_dependabot %} metrics if you have:
-
-* The `admin` role for the repository.
-* A custom repository role with the "View {% data variables.product.prodname_dependabot_alerts %}" fine-grained permissions for the repository. For more information, see [AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/about-custom-repository-roles#security).
-* Access to alerts for the repository. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts).
-
-The available metrics combine severity, exploitability, and patch availability, and help in the following ways:
-
-* **Alert prioritization:** the chart shows the number of **open {% data variables.product.prodname_dependabot_alerts %}**. You can use filters, such as availability of patches, severity, EPSS score to narrow down the list of alerts to those matching the criteria. {% data reusables.security-overview.dependabot-filters-link %}
-
-* **Remediation tracking:** The “Alerts closed” tile shows the number of alerts fixed with {% data variables.product.prodname_dependabot %}, manually dismissed, and auto dismissed, providing visibility into remediation performance and trends. The tile also shows the percent increase in the number of alerts closed in the last 30 days.
-
-* **Highest-risk package:** The "Most vulnerabilities" tile shows the dependency that has the most vulnerabilities in the organization. The tile also provides a link to the related alerts across all your repositories.
-
-* **Repository-level breakdown:** The table shows a breakdown of open alerts by repository, including counts by severity (critical, high, medium, low) and by exploitability (for example, EPSS > 1%), and can be sorted by each column. This helps you identify which projects are most at risk, prioritize remediation efforts where they matter most, and track progress over time at a granular level.
-
-These metrics help managers measure the effectiveness of their vulnerability management and ensure compliance with organizational or regulatory timelines.
-
-* **Actionable context for developers:** Developers can use the severity and patch availability filters to identify vulnerabilities they can fix immediately, reducing noise and focusing attention on issues they can address. These metrics help them understand the risk profile of their dependencies, enabling informed prioritization of work.
+This article explains how to access and view these metrics for your organization.
 
 ## Viewing metrics for {% data variables.product.prodname_dependabot %} for an organization
 
@@ -66,3 +44,13 @@ The default funnel order is `has:patch, severity:critical,high, epss_percentage>
 1. Once you're done, click **Move** to save your changes.
 
 >[!TIP] You can reset the funnel order back to the default settings by clicking **Reset to default** to the right of the graph.
+
+## Using metrics effectively
+
+Use {% data variables.product.prodname_dependabot %} metrics to:
+
+* **Prioritize remediation**: Focus on critical and high-severity alerts that are easily exploitable. Developers can use severity and patch availability filters to identify vulnerabilities they can fix immediately, reducing noise and focusing attention on actionable issues.
+* **Monitor progress**: Track how quickly your organization resolves security vulnerabilities and measure the effectiveness of vulnerability management efforts.
+* **Make data-driven decisions**: Allocate resources based on actual risk and usage patterns. The repository-level breakdown helps you understand which projects are most at risk and where to focus remediation efforts.
+* **Identify trends**: Understand whether your security posture is improving over time and ensure compliance with organizational or regulatory timelines.
+* **Understand risk profiles**: Developers can use these metrics to understand the risk profile of their dependencies, enabling informed prioritization of work.
diff --git a/content/code-security/tutorials/manage-security-alerts/prioritizing-dependabot-alerts-using-metrics.md b/content/code-security/tutorials/manage-security-alerts/prioritizing-dependabot-alerts-using-metrics.md
@@ -35,7 +35,7 @@ Application Security (AppSec) managers often face a flood of {% data variables.p
 * **Alerts closed in the last 30 days, including the number of alerts fixed by {% data variables.product.prodname_dependabot %}, manually dismissed, and auto dismissed**: Tracks alert resolution progress. Illustrates how {% data variables.product.prodname_GH_code_security %} can help you detect vulnerabilities early.
 * **Table showing the total number of open alerts for each repository, as well as severity and expoitability data**: Allows you to dig deeper at the repository level.
 
-For more information about these metrics, see [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-dependabot-alerts).
+For more information about these metrics, see [AUTOTITLE](/code-security/concepts/supply-chain-security/about-metrics-for-dependabot-alerts).
 
 Additionally, you can specify complex filters, which are combinations of the individual filters that are available. For more information about filters, see [{% data variables.product.prodname_dependabot %} dashboard view filters](/code-security/security-overview/filtering-alerts-in-security-overview#dependabot-dashboard-view-filters).
 
diff --git a/data/reusables/permissions/security-overview-dependabot-metrics.md b/data/reusables/permissions/security-overview-dependabot-metrics.md
@@ -0,0 +1,4 @@
+Access requires:
+* The `admin` role for the repository.
+* A custom repository role with the "View {% data variables.product.prodname_dependabot_alerts %}" fine-grained permissions for the repository. For more information, see [AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/about-custom-repository-roles#security).
+* Access to alerts for the repository. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts).
