GitHub Dependabot Executor¶

Category: Source Code Analysis Script: dependabot.py Integration: GitHub REST API Faraday Plugin: Raw JSON (no plugin — generates Faraday JSON directly) Website: @dependabot

Description¶

Fetches all open Dependabot vulnerability alerts from a GitHub repository, constructs vulnerability records with CVE, CWE, and CVSS data, and outputs Faraday JSON. Vulnerabilities are grouped by manifest file path (each manifest becomes a separate host in Faraday).

Prerequisites¶

• GitHub Personal Access Token with security_events scope (or Dependabot alert read permissions)
• Dependabot alerts enabled on the target repository

Configuration¶

Environment Variables (Setup)¶

Execution Arguments¶

Common Agent Parameters Supported¶

AGENT_CONFIG_VULN_TAG, AGENT_CONFIG_HOSTNAME_TAG

YAML Configuration Example¶

executors:
  dependabot_scan:
    repo_executor: dependabot.py
    max_size: 65536
    varenvs:
      GITHUB_TOKEN: "${GITHUB_TOKEN}"
      GITHUB_OWNER: my-org
    params:
      GITHUB_REPOSITORY:
        mandatory: true
        type: string
        base: string

How It Works¶

1. Fetches all Dependabot alerts from https://api.github.com/repos/{owner}/{repo}/dependabot/alerts (paginated)
2. For each alert, extracts:
3. CVE identifiers
4. CWE identifiers
5. CVSS vectors (v2 and/or v3)
6. Affected package and version range
7. Severity and advisory description
8. Groups vulnerabilities by manifest file path (e.g., requirements.txt, package.json)
9. Each manifest file becomes a separate host in Faraday
10. Outputs the combined Faraday JSON

Notes¶

• Only open (active) alerts are imported; dismissed or fixed alerts are excluded
• The GitHub token must have access to security alerts for the repository
• Vulnerabilities include both CVSS v2 and v3 vectors when available from GitHub's advisory database