GitHub Dependabot
Setting up the integration to GitHub Dependabot requires admin rights in Coana.
The GitHub Dependabot Coana app can be installed from the Integrations (opens in a new tab) page. This app enables the synchronization of Coana Vulnerabilities with Dependabot alerts and allows for the dismissal of Dependabot alerts that Coana has identified as unreachable.
Installation
Install the GitHub Dependabot app
Go to Settings → Integrations (opens in a new tab) and click the "Add to GitHub" button.
Click "Install" and select your organization
If you mistakenly install the app on your personal account or the wrong organization, then simply uninstall the app and start the process over.
Select repositories
Either select "All repositories" or "Only select repositories" depending on your specific needs. You can always add or remove repositories from the installation using Settings → Integrations (opens in a new tab) later.
Click "Install & Authorize"
Wait for the redirect back to Coana.
Usage
Select a project on the Projects (opens in a new tab) page
Make sure the URL of the Coana project matches the repository URL of the repository where you want to perform the Dependabot synchronization. For example, https://github.com/acme-org/big-mono-repo (opens in a new tab).
Open the report where you want to perform the synchronization
Usually, you just want to open the latest report.
Click the settings (⋯) icon, and click "Sync with Dependabot".
You should now see Dependabot alerts appear at the bottom of Coana vulnerability components.
Bulk dismiss unreachable Dependabot alerts
Use the "Dismiss 'Not reachable' alerts" button that appears below the "Sync with Dependabot" button after a successful Dependabot synchronization. Notice, Coana only bulk dismisses alerts that are not also associated with reachable or unknown vulnerabilities (See the question below).
Dismiss Dependabot alerts for individual vulnerabilities
From the Actions menu on the vulnerability, you can choose "Dismiss..." to open the vulnerability dismissal window. In step 2 "Dependabot alerts" of the dismissal window, you can choose to dismiss the associated open Dependabot alerts.
If the selected Dependabot alerts are associated with at least one reachable or unknown vulnerability, then you will have to check a box in step 3 "Summary" to accept the risk of dismissing potentially exploitable Dependabot alerts.
Autodismissal of unreachable Dependabot alerts
You can enable autodismissal of Dependabot alerts that are unreachable by enabling it in "project settings" and using the "Enable auto Dependabot dismissals" toggle.
Help
Why are some Coana alerts sometimes associated with multiple Dependabot alerts?
Dependabot reports an alert for each physical installation (on disk) of the vulnerable package. Coana only reports a vulnerability once in each of the reachability categories. For example, if a Coana vulnerability affects multiple workspaces, it is likely to be associated with multiple Dependabot alerts.
Why are some Dependabot alerts associated with both reachable and unreachable Coana vulnerabilities?
As described in the question above, there is not a one-to-one correspondence between Dependabot alerts and Coana vulnerabilities. Coana may report the same vulnerability in both the reachable and unreachable categories. For example, if a vulnerability is reachable in one workspace but not in another, and Dependabot only creates one alert for these two workspaces, then you will see both Coana vulnerabilities associated with this Dependabot alert.
How do I manage settings and uninstall the Coana Dependabot app?
Should you wish to change which repositories Coana is authorized to synchronize with, or if you want to remove the Coana Dependabot app, then head over to the Integrations → (opens in a new tab) page and click the "Configuration" button in the GitHub section. From this page, you will be able to change repository access and uninstall the app.