10

如何通过 GitHub API获取https://github.com/{user}/{repo}/security/dependabot?page=1&q=is%3Aopen上可用的依赖机器人警报列表?

在此处输入图像描述

我搜索了文档,但在那里找不到任何东西。

谢谢!

4

1 回答 1

14

Graphql API提供了这个RepositoryVulnerabilityAlert对象。

例如,对于特定的存储库,您可以使用以下查询获取所有警报(在资源管理器中查看):

{
    repository(name: "repo-name", owner: "repo-owner") {
        vulnerabilityAlerts(first: 100) {
            nodes {
                createdAt
                dismissedAt
                securityVulnerability {
                    package {
                        name
                    }
                    advisory {
                        description
                    }
                }
            }
        }
    }
}

它还返回可以使用该dismissedAt字段发现的已关闭的警报。但似乎没有办法只过滤“活动”警报

样本输出:

{
  "data": {
    "repository": {
      "vulnerabilityAlerts": {
        "nodes": [
          {
            "createdAt": "2018-03-05T19:13:26Z",
            "dismissedAt": null,
            "securityVulnerability": {
              "package": {
                "name": "moment"
              },
              "advisory": {
                "description": "Affected versions of `moment` are vulnerable to a low severity regular expression denial of service when parsing dates as strings.\n\n\n## Recommendation\n\nUpdate to version 2.19.3 or later."
              }
            }
          },
          ....
        ]
      }
    }
  }
}
于 2021-02-24T18:40:17.887 回答