Integrations
GitHub Dependabot

GitHub Dependabot

Setting up the integration to GitHub Dependabot requires admin rights in Coana.

The GitHub Dependabot Coana app can be installed from the Integrations (opens in a new tab) page. This app enables the synchronization of Coana Vulnerabilities with Dependabot alerts and allows for the dismissal of Dependabot alerts that Coana has identified as unreachable.

Installation

Install GitHub Dependabot app

Go to Settings → Integrations (opens in a new tab) and click the "Add to GitHub" button.

Click "Install" and select your organization

If you mistakenly install the app on your personal account or on the wrong organization, then simply uninstall the app and start the process over.

Select repositories

Either select "All repositories" or "Only select repositories" depending on your specific needs. You can always add or remove repositories from the installation using Settings → Integrations (opens in a new tab) later.

Click "Install & Authorize"

Wait for the redirect back to Coana.

Usage

Select a project on the Projects (opens in a new tab) page

Make sure the URL of the Coana project matches the repository URL of the repository where you want to perform the Dependabot synchronization. For example, https://github.com/acme-org/big-mono-repo (opens in a new tab).

Open the report where you want to perform the synchronization

Usually you just want to open the latest report.

Click the settings (⋯) icon, and click "Sync with Dependabot".

You should now see Dependabot alerts appear in the bottom of Coana vulnerability components.

Help

Why are some Coana alerts sometimes associated with multiple Dependabot alerts?

Dependabot reports an alert for each physical installation (on disk) of the vulnerable package. Coana only reports a vulnerability once in each of the reachability categories. For example, if a Coana vulnerability affects multiple workspaces, it is likely to be associated with multiple Dependabot alerts.

Why are some Dependabot alerts associated with both reachable and unreachable Coana vulnerabilities?

As described in the question above, there is not a one-to-one correspondence between Dependabot alerts and Coana vulnerabilities. Coana may report the same vulnerability in both the reachable and unreachable categories. For example, if a vulnerability is reachable in one workspace but not in another, and Dependabot only creates one alert for these two workspaces, then you will see both Coana vulnerabilities associated with this Dependabot alert.

How do I manage settings and uninstall the Coana Dependabot app?

Should you wish to change which repositories Coana is authorized to synchronize with, or if you want to remove the Coana Dependabot app, then head over to the Integrations (opens in a new tab) page and click the "Configuration" button in the GitHub section. From this page, you will be able to change repository access and uninstall the app.