Export the Dependabot alerts as CSV file from a repo
This GitHub action helps to export the Dependabot alerts to a CSV file. One can define a workflow to run or triger based on specific event to capture all Dependabot alerts to a CSV file for further analysis.
GitHub Marketplace : https://github.com/marketplace/actions/dependabot-alert-export
Create a PAT token to get access to the Dependabot alerts. Pass this token as an input to the action - GITHUB_TOKEN
Include the dependabot-alert-export action in your workflow.
Following is the sample code for integrating this action with your workflow
steps:
- name: Export Dependabot alerts
uses: ambilykk/dependabot-alert-export@v1.0
with:
GITHUB_TOKEN: ${{secrets.GH_TOKEN}}
org_name: 'ORG_NAME'
repo_name: 'REPO_NAME'
csv_path: data/vulnerability.csv
- name: Upload Vulnerability report
uses: actions/upload-artifact@v3
with:
name: vulnerability_report
path: data/vulnerability.csv
| Name | Required | Description |
|---|---|---|
| GITHUB_TOKEN | Yes | PAT Token for access |
| org_name | Yes | GitHub Organization Name |
| repo_name | Yes | GitHub Repository Name |
| csv_path | Yes | CSV file path |
Following fields are included in the Vulnerability Report
- Vulnerability Id
- Dependency Scope (
DEVELOPMENTorRUNTIME) - State (
DISMISSED,FIXEDorOPEN) - Created At
- Manifest File Name
- Vulnerability Version Range
- Package Name
- GHSA Id (The ID of the vulnerability in the GitHub Security Advisory Database)
- Severity
- Summary
- Link
- Description
- Dismissed At (for Dismissed alerts)
- Dismiss Reason
- Dismiss Comment
- Fixed At (for Fixed alerts)
- Fix Reason
Vulnerability report in CSV format will be available as part of the build artifacts for download
The scripts and documentation in this project are released under the MIT License