The GitHub Dependabot Coana app can be installed from the Integrations (opens in a new tab) page. This app enables the synchronization of Coana Vulnerabilities with Dependabot alerts and allows for the dismissal of Dependabot alerts that Coana has identified as unreachable.
Go to Settings → Integrations (opens in a new tab) and click the "Add to GitHub" button.
If you mistakenly install the app on your personal account or on the wrong organization, then simply uninstall the app and start the process over.
Either select "All repositories" or "Only select repositories" depending on your specific needs. You can always add or remove repositories from the installation using Settings → Integrations (opens in a new tab) later.
Wait for the redirect back to Coana.
Select a project on the Projects (opens in a new tab) page
Make sure the URL of the Coana project matches the repository URL of the repository where you want to perform the Dependabot synchronization. For example, https://github.com/acme-org/big-mono-repo (opens in a new tab).
Usually you just want to open the latest report.
You should now see Dependabot alerts appear in the bottom of Coana vulnerability components.
Dependabot reports an alert for each physical installation (on disk) of the vulnerable package. Coana only reports a vulnerability once in each of the reachability categories. For example, if a Coana vulnerability affects multiple workspaces, it is likely to be associated with multiple Dependabot alerts.
Why are some Dependabot alerts associated with both reachable and unreachable Coana vulnerabilities?
As described in the question above, there is not a one-to-one correspondence between Dependabot alerts and Coana vulnerabilities. Coana may report the same vulnerability in both the reachable and unreachable categories. For example, if a vulnerability is reachable in one workspace but not in another, and Dependabot only creates one alert for these two workspaces, then you will see both Coana vulnerabilities associated with this Dependabot alert.
Should you wish to change which repositories Coana is authorized to synchronize with, or if you want to remove the Coana Dependabot app, then head over to the Integrations (opens in a new tab) page and click the "Configuration" button in the GitHub section. From this page, you will be able to change repository access and uninstall the app.