GitHub Dependabot Agent¶

Overview¶

The GitHub Dependabot Agent is an official Faraday agent that automatically imports dependency-related security alerts detected by GitHub Dependabot into your Faraday workspace.
This allows security teams to track vulnerable packages, outdated dependencies, and patch recommendations directly inside Faraday, without manually reviewing alerts in GitHub.

The agent does not perform dependency analysis itself. Instead, it retrieves alerts from GitHub’s Dependabot API and converts each one into a Faraday-compatible vulnerability, grouping them based on the dependency manifest file where the issue was detected.

Parameters¶

When setting up the agent, you must provide the following parameters:

• GITHUB_TOKEN: GitHub Personal Access Token with permissions to read Dependabot alerts.
• GITHUB_OWNER: GitHub organization or user who owns the repository.

When running the Agent, you must provide the following parameters:

• GITHUB_REPOSITORY: Name of the GitHub repository to query.

Notes¶

The agent only imports open Dependabot alerts. Resolved or dismissed alerts are ignored, as they no longer represent an active risk.
Each manifest file detected by Dependabot is represented as a separate host inside Faraday, allowing alerts to be grouped cleanly by dependency file.
When available, CVSSv2 or CVSSv3 vectors are included, along with CVEs, CWEs, references, and affected version ranges.
All imported vulnerabilities include any user-defined tags provided through VULN_TAG.