GitHub Dependabot

GitHub Dependabot

Setting up the integration to GitHub Dependabot requires admin rights in Coana.

The GitHub Dependabot Coana app can be installed from the Integrations (opens in a new tab) page. This app enables the synchronization of Coana Vulnerabilities with Dependabot alerts and allows for the dismissal of Dependabot alerts that Coana has identified as unreachable.


Install the GitHub Dependabot app

Go to Settings → Integrations (opens in a new tab) and click the "Add to GitHub" button.

Click "Install" and select your organization

If you mistakenly install the app on your personal account or the wrong organization, then simply uninstall the app and start the process over.

Select repositories

Either select "All repositories" or "Only select repositories" depending on your specific needs. You can always add or remove repositories from the installation using Settings → Integrations (opens in a new tab) later.

Click "Install & Authorize"

Wait for the redirect back to Coana.


Select a project on the Projects (opens in a new tab) page

Make sure the URL of the Coana project matches the repository URL of the repository where you want to perform the Dependabot synchronization. For example, (opens in a new tab).

Open the report where you want to perform the synchronization

Usually, you just want to open the latest report.

Click the settings (⋯) icon, and click "Sync with Dependabot".

You should now see Dependabot alerts appear at the bottom of Coana vulnerability components.

Bulk dismiss unreachable Dependabot alerts

Use the "Dismiss 'Not reachable' alerts" button that appears below the "Sync with Dependabot" button after a successful Dependabot synchronization. Notice, Coana only bulk dismisses alerts that are not also associated with reachable or unknown vulnerabilities (See the question below).

Dismiss Dependabot alerts for individual vulnerabilities

Use the "Dismiss open alerts in Dependabot" button that appears together with vulnerabilities that have associated Dependabot alerts.


Why are some Coana alerts sometimes associated with multiple Dependabot alerts?

Dependabot reports an alert for each physical installation (on disk) of the vulnerable package. Coana only reports a vulnerability once in each of the reachability categories. For example, if a Coana vulnerability affects multiple workspaces, it is likely to be associated with multiple Dependabot alerts.

Why are some Dependabot alerts associated with both reachable and unreachable Coana vulnerabilities?

As described in the question above, there is not a one-to-one correspondence between Dependabot alerts and Coana vulnerabilities. Coana may report the same vulnerability in both the reachable and unreachable categories. For example, if a vulnerability is reachable in one workspace but not in another, and Dependabot only creates one alert for these two workspaces, then you will see both Coana vulnerabilities associated with this Dependabot alert.

How do I manage settings and uninstall the Coana Dependabot app?

Should you wish to change which repositories Coana is authorized to synchronize with, or if you want to remove the Coana Dependabot app, then head over to the Integrations → (opens in a new tab) page and click the "Configuration" button in the GitHub section. From this page, you will be able to change repository access and uninstall the app.