Table: github_repository_dependabot_alert - Query GitHub Dependabot Alerts using SQL
GitHub Dependabot is a feature within the GitHub platform that monitors your project dependencies for known security vulnerabilities and automatically opens pull requests to update them to the minimum required version. It provides an automated way to keep your project dependencies up-to-date and secure. GitHub Dependabot helps you maintain the security and reliability of your projects by identifying and suggesting updates for vulnerable dependencies.
Table Usage Guide
The github_repository_dependabot_alert table provides insights into Dependabot alerts within GitHub repositories. As a project maintainer or security engineer, explore alert-specific details through this table, including the dependency name, version, and associated security vulnerabilities. Utilize it to uncover information about potentially insecure dependencies, helping you to maintain the security and integrity of your projects.
Important Notes
- You must specify the
repository_full_name(repository including org/user prefix) column in thewhereorjoinclause to query the table.
Examples
List dependabot alerts
Identify the status and type of dependabot alerts for a specific repository to maintain and upgrade dependencies efficiently.
select state, dependency_package_ecosystem, dependency_package_namefrom github_repository_dependabot_alertwhere repository_full_name = 'turbot/steampipe';select state, dependency_package_ecosystem, dependency_package_namefrom github_repository_dependabot_alertwhere repository_full_name = 'turbot/steampipe';List open dependabot alerts
Discover the segments that have active dependency alerts within a specific GitHub repository. This query is useful for maintaining security and up-to-date dependencies in your projects.
select state, dependency_package_ecosystem, dependency_package_namefrom github_repository_dependabot_alertwhere repository_full_name = 'turbot/steampipe' and state = 'open';select state, dependency_package_ecosystem, dependency_package_namefrom github_repository_dependabot_alertwhere repository_full_name = 'turbot/steampipe' and state = 'open';List open critical dependabot alerts
Explore critical alerts in your repository's dependencies that are currently open. This is useful for quickly identifying potential security risks within your project's ecosystem.
select state, dependency_package_ecosystem, dependency_package_namefrom github_repository_dependabot_alertwhere repository_full_name = 'turbot/steampipe' and state = 'open' and security_advisory_severity = 'critical';select state, dependency_package_ecosystem, dependency_package_namefrom github_repository_dependabot_alertwhere repository_full_name = 'turbot/steampipe' and state = 'open' and security_advisory_severity = 'critical';Query examples
Schema for github_repository_dependabot_alert
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| alert_number | bigint | = | The security alert number. |
| created_at | timestamp with time zone | The time that the alert was created. | |
| dependency_manifest_path | text | The unique manifestation path within the ecosystem. | |
| dependency_package_ecosystem | text | = | The package's language or package management ecosystem. |
| dependency_package_name | text | = | The unique package name within its ecosystem. |
| dependency_scope | text | = | The execution scope of the vulnerable dependency. |
| dismissed_at | timestamp with time zone | The time that the alert was dismissed. | |
| dismissed_comment | text | An optional comment associated with the alert's dismissal. | |
| dismissed_reason | text | The reason that the alert was dismissed. | |
| fixed_at | timestamp with time zone | The time that the alert was no longer detected and was considered fixed. | |
| html_url | text | The GitHub URL of the alert resource. | |
| repository_full_name | text | = | The full name of the repository (login/repo-name). |
| security_advisory_cve_id | text | The unique CVE ID assigned to the advisory. | |
| security_advisory_cvss_score | double precision | The overall CVSS score of the advisory. | |
| security_advisory_cvss_vector_string | text | The full CVSS vector string for the advisory. | |
| security_advisory_cwes | jsonb | The associated CWEs | |
| security_advisory_description | text | A long-form Markdown-supported description of the advisory. | |
| security_advisory_ghsa_id | text | The unique GitHub Security Advisory ID assigned to the advisory. | |
| security_advisory_published_at | timestamp with time zone | The time that the advisory was published. | |
| security_advisory_severity | text | = | The severity of the advisory. |
| security_advisory_summary | text | A short, plain text summary of the advisory. | |
| security_advisory_updated_at | timestamp with time zone | The time that the advisory was last modified. | |
| security_advisory_withdrawn_at | timestamp with time zone | The time that the advisory was withdrawn. | |
| state | text | = | The state of the Dependabot alert. |
| updated_at | timestamp with time zone | The time that the alert was last updated. | |
| url | text | The REST API URL of the alert resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- githubYou can pass the configuration to the command with the --config argument:
steampipe_export_github --config '<your_config>' github_repository_dependabot_alert