Verify dependabot_alerts_enabled_for_new_repositories setting
Type: Rule
ID: github-org-dependabot-alerts
Source: v2/rules/github/org/dependabot-alerts.yaml
Rego Source: dependabot-alerts.rego
Labels: GitHub, Organization
Verify Dependabot alerts for new repositories are enabled in the GitHub organization.
This rule requires Github Organization Discovery Evidence. See here for more details.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule requires evaluation with a target or an asset input. Without one, it will be disabled unless the --all-evidence flag is provided.
Rule is scoped by product and target.
Usage example
uses: github/org/dependabot-alerts@v2
with:
desired_value: true
Mitigation
Ensures that Dependabot alerts are enabled for new repositories in the GitHub organization, helping to identify and address vulnerabilities in dependencies.
Description
This rule verifies that Dependabot alerts for new repositories are enabled in the GitHub organization. It performs the following steps:
- Checks the organization's settings for the
dependabot_alerts_enabled_for_new_repositoriesfield. - Compares the value of this field against the desired value specified in the
with.desired_valueconfiguration.- If the field does not match the desired value, the rule flags it as a violation.
Evidence Requirements:
- Evidence must be provided by the Scribe Platform's CLI tool through scanning GitHub organization settings.
Evidence Requirements
| Field | Value |
|---|---|
| filter-by | ['product', 'target'] |
| signed | False |
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
| asset_platform | github |
| asset_type | organization |
Input Definitions
| Parameter | Type | Required | Description | Default |
|---|---|---|---|---|
| desired_value | boolean | False | Desired value for the dependabot_alerts_enabled_for_new_repositories setting. | True |