About metrics for Dependabot
The metrics overview for Dependabot provides valuable insights for both developers and application security (AppSec) managers. The data in the Dependabot dashboard page contains a vulnerability prioritization funnel that helps with efficiently prioritizing, remediating, and tracking vulnerabilities across multiple repositories. This ensures that the most critical risks are addressed first and that security improvements can be measured over time.
For more information about how AppSec managers can best use these metrics to optimize alert fixing, see Prioritizing Dependabot alerts using metrics.
You can see Dependabot metrics if you have:
- The
adminrole for the repository. - A custom repository role with the "View Dependabot alerts" fine-grained permissions for the repository. For more information, see About custom repository roles.
- Access to alerts for the repository. For more information, see Managing security and analysis settings for your repository.
The available metrics combine severity, exploitability, and patch availability, and help in the following ways:
-
Alert prioritization: the chart shows the number of open Dependabot alerts. You can use filters, such as availability of patches, severity, EPSS score to narrow down the list of alerts to those matching the criteria. See Dependabot dashboard view filters.
-
Remediation tracking: The “Alerts closed” tile shows the number of alerts fixed with Dependabot, manually dismissed, and auto dismissed, providing visibility into remediation performance and trends. The tile also shows the percent increase in the number of alerts closed in the last 30 days.
-
Highest-risk package: The "Most vulnerabilities" tile shows the dependency that has the most vulnerabilities in the organization. The tile also provides a link to the related alerts across all your repositories.
-
Repository-level breakdown: The table shows a breakdown of open alerts by repository, including counts by severity (critical, high, medium, low) and by exploitability (for example, EPSS > 1%), and can be sorted by each column. This helps you identify which projects are most at risk, prioritize remediation efforts where they matter most, and track progress over time at a granular level.
These metrics help managers measure the effectiveness of their vulnerability management and ensure compliance with organizational or regulatory timelines.
- Actionable context for developers: Developers can use the severity and patch availability filters to identify vulnerabilities they can fix immediately, reducing noise and focusing attention on issues they can address. These metrics help them understand the risk profile of their dependencies, enabling informed prioritization of work.
Viewing metrics for Dependabot for an organization
-
On GitHub, navigate to the main page of the organization.
-
Under your organization name, click Security.
-
In the sidebar, under "Metrics", click Dependabot dashboard.
-
Optionally, use the filters at your disposal, or build your own filters. See Dependabot dashboard view filters.
-
Optionally, click on a number on the x-axis of the chart to filter the alert list by the relevant criteria (for example
has:patch severity:critical,high epss_percentage:>=0.01). -
Optionally, click on an individual repository to see the associated Dependabot alerts.
Configuring funnel categories
The default funnel order is has:patch, severity:critical,high, epss_percentage>=0.01. By tailoring the funnel’s order, you and your teams can focus on the vulnerabilities that matter most to your organization, environments, or regulatory obligations, making remediation efforts more effective and aligned with your specific needs.
-
On GitHub, navigate to the main page of the organization.
-
Under your organization name, click Security.
-
In the sidebar, under "Metrics", click Dependabot dashboard.
-
On the top right of the "Alert prioritization" graph, click .
-
In the "Configure funnel order" dialog, move the criteria as desired.
-
Once you're done, click Move to save your changes.
提示
You can reset the funnel order back to the default settings by clicking Reset to default to the right of the graph.