[EDI] Viewing and updating Dependabot alerts (#59257)

sophietheking · isaacmbrown · web-flow · commit f1eda4a83469 · 2026-01-23T14:38:58.000Z
Co-authored-by: Isaac Brown &lt;101839405+isaacmbrown@users.noreply.github.com&gt;
diff --git a/content/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/viewing-and-updating-dependabot-alerts.md b/content/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/viewing-and-updating-dependabot-alerts.md
@@ -27,81 +27,68 @@ topics:
 
 Your repository's {% data variables.product.prodname_dependabot_alerts %} tab lists all open and closed {% data variables.product.prodname_dependabot_alerts %} and corresponding {% data variables.product.prodname_dependabot_security_updates %}. You can filter alerts by package, ecosystem, or manifest. You can sort the list of alerts, and you can click into specific alerts for more details. You can also dismiss or reopen alerts, either one by one or by selecting multiple alerts at once. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts).
 
-You can enable automatic security updates for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).
-
 ## About updates for vulnerable dependencies in your repository
 
-{% data variables.product.github %} generates {% data variables.product.prodname_dependabot_alerts %} when we detect that the default branch of your codebase is using dependencies with known security risks. For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, when {% data variables.product.github %} detects a vulnerable dependency in the default branch, {% data variables.product.prodname_dependabot %} creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability.
-
-{% data reusables.dependabot.no-dependabot-alerts-for-malware %}
-
 Each {% data variables.product.prodname_dependabot %} alert has a unique numeric identifier and the {% data variables.product.prodname_dependabot_alerts %} tab lists an alert for every detected vulnerability. Legacy {% data variables.product.prodname_dependabot_alerts %} grouped vulnerabilities by dependency and generated a single alert per dependency. If you navigate to a legacy {% data variables.product.prodname_dependabot %} alert, you will be redirected to a {% data variables.product.prodname_dependabot_alerts %} tab filtered for that package.
 
-You can filter and sort {% data variables.product.prodname_dependabot_alerts %} using a variety of filters and sort options available on the user interface. For more information, see [Prioritizing {% data variables.product.prodname_dependabot_alerts %}](#prioritizing-dependabot-alerts) below.
+You can filter and sort {% data variables.product.prodname_dependabot_alerts %} using a variety of filters and sort options available on the user interface. For more information, see [Viewing and prioritizing {% data variables.product.prodname_dependabot_alerts %}](#viewing-and-prioritizing-dependabot-alerts) below.
 
 You can also audit actions taken in response to {% data variables.product.prodname_dependabot %} alerts. For more information, see [AUTOTITLE](/code-security/getting-started/auditing-security-alerts).
 
-## Prioritizing {% data variables.product.prodname_dependabot_alerts %}
+## Viewing and prioritizing {% data variables.product.prodname_dependabot_alerts %}
 
-{% data variables.product.company_short %} helps you prioritize fixing {% data variables.product.prodname_dependabot_alerts %}. By default, {% data variables.product.prodname_dependabot_alerts %} are sorted by importance. The "Most important" sort order helps you prioritize which {% data variables.product.prodname_dependabot_alerts %} to focus on first. Alerts are ranked based on their potential impact, actionability, and relevance. Our prioritization calculation is constantly being improved and includes factors like CVSS score, dependency scope, and whether vulnerable function calls are found for the alert.
-You can also use {% data variables.dependabot.auto_triage_rules %} to prioritize {% data variables.product.prodname_dependabot_alerts %}. For more information, see “[AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules).”
+You can view, sort, and filter {% data variables.product.prodname_dependabot_alerts %} to focus on the alerts that matter most.
 
-{% data reusables.dependabot.dependabot-alerts-filters %}
+By default, alerts are sorted by **Most important**, which helps you prioritize fixes based on factors such as potential impact, actionability, and relevance. This prioritization is continuously improved and considers signals like CVSS score, dependency scope, and whether vulnerable function calls are detected.
 
-In addition to the filters available via the search bar, you can sort and filter {% data variables.product.prodname_dependabot_alerts %} using the dropdown menus at the top of the alert list. Alternatively, to filter by label, click a label assigned to an alert to automatically apply that filter to the alert list.
+{% data reusables.dependabot.where-to-view-dependabot-alerts %}
 
-The search bar also allows for full text searching of alerts and related security advisories. You can search for part of a security advisory name or description to return the alerts in your repository that relate to that security advisory. For example, searching for `yaml.load() API could execute arbitrary code` will return {% data variables.product.prodname_dependabot_alerts %} linked to [PyYAML insecurely deserializes YAML strings leading to arbitrary code execution](https://github.com/advisories/GHSA-rprw-h62v-c2w7) as the search string appears in the advisory description.
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-security %}
+{% data reusables.repositories.sidebar-dependabot-alerts %}
 
-![Screenshot of the filter and sort menus in the {% data variables.product.prodname_dependabot_alerts %} tab.](/assets/images/help/graphs/dependabot-alerts-filters-checkbox.png)
+1. Optionally, refine the list of alerts:
+   * Use the dropdown menus at the top of the list to sort or filter alerts.
 
-You can also use the REST API to get a list of {% data variables.product.prodname_dependabot_alerts %} sorted using your filter of choice, for your repository, organization, or enterprise. For more information about API endpoints, see [AUTOTITLE](/rest/dependabot/alerts).
+     ![Screenshot of the filter and sort menus in the {% data variables.product.prodname_dependabot_alerts %} tab.](/assets/images/help/graphs/dependabot-alerts-filters-checkbox.png)
 
-## Supported ecosystems and manifests for dependency scope
+   * Type directly in the search bar to filter alerts, including full-text search across alert details and related security advisories.
+   * Click a label on an alert to automatically filter the list by that label.
+   * To identify alerts that affect development dependencies, filter by the `scope:development` filter or look for alerts labeled "Development". This can help you prioritize alerts that affect production dependencies first.
 
-{% data reusables.dependabot.dependabot-alerts-dependency-scope %}
+     ![Screenshot showing the "Development" label assigned to an alert in the list of alerts.](/assets/images/help/repository/dependabot-alerts-development-label.png)
 
-Alerts for packages listed as development dependencies are marked with the `Development` label on the {% data variables.product.prodname_dependabot_alerts %} page and are also available for filtering via the `scope` filter.
+1. Click an alert to view its details. Alerts for development-scoped dependencies include a "Development" label in the "Tags" section on the alert details page.
 
-![Screenshot showing the "Development" label assigned to an alert in the list of alerts. The label is highlighted with a dark orange outline.](/assets/images/help/repository/dependabot-alerts-development-label.png)
+   ![Screenshot showing the "Tags" section in the alert details page.](/assets/images/help/repository/dependabot-alerts-tags-section.png)
 
-The alert details page of alerts on development-scoped packages shows a "Tags" section containing a `Development` label.
+1. Optionally, to suggest an improvement to the related security advisory, on the right-hand side of the alert details page, click **Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}**. See [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database).
 
-![Screenshot showing the "Tags" section in the alert details page. The label is highlighted with a dark orange outline.](/assets/images/help/repository/dependabot-alerts-tags-section.png)
+### Tips for prioritizing alerts
 
-## Viewing {% data variables.product.prodname_dependabot_alerts %}
+* Use the **Most important** sort order to focus on alerts with the highest potential impact.
+* Prioritize alerts that affect production dependencies over development dependencies.
+* Use {% data variables.dependabot.auto_triage_rules %} to automatically prioritize or manage alerts. See [AUTOTITLE](/code-security/concepts/supply-chain-security/about-dependabot-auto-triage-rules).
 
-{% data reusables.dependabot.where-to-view-dependabot-alerts %} You can sort and filter {% data variables.product.prodname_dependabot_alerts %} by selecting a filter from the dropdown menu.
+For more information about supported ecosystems and manifest files for dependency scope, see [AUTOTITLE](/code-security/reference/supply-chain-security/supported-ecosystems-and-manifests-for-dependency-scope).
 
-To view summaries of alerts for all or a subset of repositories owned by your organization, use security overview. For more information, see [AUTOTITLE](/code-security/security-overview/about-security-overview#about-security-overview-for-organizations).
+For a complete list of available filters, see [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-alerts-filters).
 
-{% data reusables.repositories.navigate-to-repo %}
-{% data reusables.repositories.sidebar-security %}
-{% data reusables.repositories.sidebar-dependabot-alerts %}
-1. Optionally, to filter alerts, select a filter in a dropdown menu then click the filter that you would like to apply. You can also type filters into the search bar. Alternatively, to filter by label, click a label assigned to an alert to automatically apply that filter to the alert list. For more information about filtering and sorting alerts, see [Prioritizing {% data variables.product.prodname_dependabot_alerts %}](#prioritizing-dependabot-alerts).
-
-   ![Screenshot of the filter and sort menus in the {% data variables.product.prodname_dependabot_alerts %} tab.](/assets/images/help/graphs/dependabot-alerts-filters-checkbox.png)
-1. Click the alert that you would like to view.
-1. Optionally, to suggest an improvement to the related security advisory, on the right-hand side of the alert details page, click **Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}**. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database).
-
-   ![Screenshot of the right sidebar of a {% data variables.product.prodname_dependabot %} alert. A link, titled "Suggest improvements for this advisory...", is outlined in orange.](/assets/images/help/dependabot/dependabot-improve-security-advisory.png)
+To retrieve alerts programmatically, see the [AUTOTITLE](/rest/dependabot/alerts).
 
 ## Reviewing and fixing alerts
 
-It’s important to ensure that all of your dependencies are clean of any security weaknesses. When {% data variables.product.prodname_dependabot %} discovers vulnerabilities in your dependencies, you should assess your project’s level of exposure and determine what remediation steps to take to secure your application.
-
-If a patched version of the dependency is available, you can generate a {% data variables.product.prodname_dependabot %} pull request to update this dependency directly from a {% data variables.product.prodname_dependabot %} alert. If you have {% data variables.product.prodname_dependabot_security_updates %} enabled, the pull request may be linked in the {% data variables.product.prodname_dependabot %} alert.
-
-In cases where a patched version is not available, or you can’t update to the secure version, {% data variables.product.prodname_dependabot %} shares additional information to help you determine next steps. When you click through to view a {% data variables.product.prodname_dependabot %} alert, you can see the full details of the security advisory for the dependency including the affected functions. You can then check whether your code calls the impacted functions. This information can help you further assess your risk level, and determine workarounds or if you’re able to accept the risk represented by the security advisory.
-
 {% ifversion copilot-chat-ghas-alerts %}
 
 With a {% data variables.copilot.copilot_enterprise %} license, you can also ask {% data variables.copilot.copilot_chat %} for help to better understand {% data variables.product.prodname_dependabot_alerts %} in repositories in your organization. For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features).
 
 {% endif %}
 
+You can review the details of a {% data variables.product.prodname_dependabot %} alert to understand the vulnerability and how to fix it.
+
 ### Fixing vulnerable dependencies
 
-1. View the details for an alert. For more information, see [Viewing {% data variables.product.prodname_dependabot_alerts %}](#viewing-dependabot-alerts) (above).
+1. View the details for an alert. For more information, see [Viewing and prioritizing {% data variables.product.prodname_dependabot_alerts %}](#viewing-and-prioritizing-dependabot-alerts) (above).
 1. If you have {% data variables.product.prodname_dependabot_security_updates %} enabled, there may be a link to a pull request that will fix the dependency. Alternatively, you can click **Create {% data variables.product.prodname_dependabot %} security update** at the top of the alert details page to create a pull request.
 
    ![Screenshot of a {% data variables.product.prodname_dependabot %} alert with the "Create {% data variables.product.prodname_dependabot %} security update" button highlighted with a dark orange outline.](/assets/images/help/repository/create-dependabot-security-update-button-ungrouped.png)
@@ -118,7 +105,7 @@ With a {% data variables.copilot.copilot_enterprise %} license, you can also ask
 
 If you schedule extensive work to upgrade a dependency, or decide that an alert does not need to be fixed, you can dismiss the alert. Dismissing alerts that you have already assessed makes it easier to triage new alerts as they appear.
 
-1. View the details for an alert. For more information, see [Viewing vulnerable dependencies](#viewing-dependabot-alerts) (above).
+1. [Viewing and prioritizing {% data variables.product.prodname_dependabot_alerts %}](#viewing-and-prioritizing-dependabot-alerts) (above).
 1. Select the "Dismiss" dropdown, and click a reason for dismissing the alert. Unfixed dismissed alerts can be reopened later.
 1. Optionally, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can retrieve or set a comment by using the GraphQL API. The comment is contained in the `dismissComment` field. For more information, see [AUTOTITLE](/graphql/reference/objects#repositoryvulnerabilityalert) in the GraphQL API documentation.
 
@@ -128,7 +115,7 @@ If you schedule extensive work to upgrade a dependency, or decide that an alert
 
 ### Dismissing multiple alerts at once
 
-1. View the open {% data variables.product.prodname_dependabot_alerts %}. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#viewing-dependabot-alerts).
+1. View the open {% data variables.product.prodname_dependabot_alerts %}.
 1. Optionally, filter the list of alerts by selecting a dropdown menu, then clicking the filter that you would like to apply. You can also type filters into the search bar.
 1. To the left of each alert title, select the alerts that you want to dismiss.
    ![Screenshot of the {% data variables.product.prodname_dependabot_alerts %} view. Two alerts are selected and these check boxes are highlighted with an orange outline.](/assets/images/help/graphs/select-multiple-alerts.png)
@@ -155,7 +142,7 @@ You can view all open alerts, and you can reopen alerts that have been previousl
 
 ### Reopening multiple alerts at once
 
-1. View the closed {% data variables.product.prodname_dependabot_alerts %}. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#viewing-and-updating-closed-alerts) (above).
+1. View the closed {% data variables.product.prodname_dependabot_alerts %}.
 1. To the left of each alert title, select the alerts that you want to reopen by clicking the checkbox adjacent to each alert.
 1. Optionally, at the top of the list of alerts, select all closed alerts on the page.
    ![Screenshot of alerts in the "Closed" tab. The "Select all" checkbox is highlighted with a dark orange outline.](/assets/images/help/graphs/select-all-closed-alerts.png)
diff --git a/content/code-security/reference/supply-chain-security/dependabot-alerts-filters.md b/content/code-security/reference/supply-chain-security/dependabot-alerts-filters.md
@@ -0,0 +1,19 @@
+---
+title: Dependabot alert filters
+intro: '{% data variables.product.prodname_dependabot_alerts %} filters help you prioritize and manage alerts for vulnerable dependencies in your repositories.'
+allowTitleToDifferFromFilename: true
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '*'
+topics:
+  - Dependabot
+  - Version updates
+  - Repositories
+  - Dependencies
+  - Pull requests
+shortTitle: Dependabot alerts filters
+contentType: reference
+---
+
+{% data reusables.dependabot.dependabot-alerts-filters %}
diff --git a/content/code-security/reference/supply-chain-security/index.md b/content/code-security/reference/supply-chain-security/index.md
@@ -18,6 +18,8 @@ topics:
 contentType: reference
 children:
   - /dependabot-options-reference
+  - /dependabot-alerts-filters
+  - /supported-ecosystems-and-manifests-for-dependency-scope
   - /dependabot-pull-request-comment-commands
   - /supported-ecosystems-and-repositories
   - /dependency-graph-supported-package-ecosystems
diff --git a/content/code-security/reference/supply-chain-security/supported-ecosystems-and-manifests-for-dependency-scope.md b/content/code-security/reference/supply-chain-security/supported-ecosystems-and-manifests-for-dependency-scope.md
@@ -0,0 +1,19 @@
+---
+title: Supported ecosystems and manifests for dependency scope
+intro: '{% data variables.product.prodname_dependabot_alerts %} supports a variety of ecosystems and manifests for dependency scope.'
+allowTitleToDifferFromFilename: true
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '*'
+topics:
+  - Dependabot
+  - Version updates
+  - Repositories
+  - Dependencies
+  - Pull requests
+shortTitle: Dependency scope
+contentType: reference
+---
+
+{% data reusables.dependabot.dependabot-alerts-dependency-scope %}
