How can I, using REST or GraphQL, retrieve all repos enterprise-wide that CURRENTLY have vulnerabilities - also dismissed non-stale ones

[mplungjan]

Select Topic Area

Question

Body

There isn’t, as far as I can find, currently a “magic flag” on the GitHub APIs that tells me “this CVE is currently affecting the default branch” or "This REPO has an open vulnerability that has not been fixed/closed/dismissed" so that I can replicate exactly what the web UI shows.
In my experience the Dependabot Alerts endpoints (both REST and GraphQL) return alerts for every branch (or manifest) in a repository. That means that—even if the default branch is “clean”—any open alert generated for a now‑obsolete branch (or an old manifest file) will still show up as an open alert via the API.

I also need to find all dismissed alerts that are still relevant to the repo. I can find dismissals that are stale since a fix was implemented later.
If this is not possible, please consider this a feature request.
Thanks

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐

[AmandaHanz]

### Using GitHub GraphQL API
GitHub GraphQL lets you query multiple repositories at once.

GraphQL Query:

query {
  organization(login: "YOUR_ORG") {
    repositories(first: 100) {
      nodes {
        name
        vulnerabilityAlerts(first: 100, states: OPEN) {
          nodes {
            securityVulnerability {
              package {
                name
              }
              advisory {
                description
              }
            }
            dismissedAt
            dismissedReason
          }
        }
      }
    }
  }
}

states: OPEN ensures only active vulnerabilities are fetched.
dismissedAt lets you track dismissed alerts.
Compare dismissedAt with securityVulnerability.advisory.updatedAt to check if the vulnerability is still relevant.

[mplungjan]

I will have a look at your suggestions and see if I can make them work...

The problem is the following, and I am not sure your suggestion will solve it

A repo has had an alert at some time X.
A developer dismisses it at time Y because they did not have time to fix it when that specific alert was shown
Some weeks later at time Z, the developer updates some library that fixes the vulnerability.

If I run your graphQL, I would suspect I would still get the dismissed, open alert but cannot match it to the updated library unless I remove the dismiss and run the vuln rapport again.

In GitHub Advanced Security "OPEN" Alerts means that the alert is still active in the system—it hasn’t been automatically resolved by an update or a commit that fixes the vulnerability.
Dismissed Alerts: When a developer dismisses an alert, it is marked with a dismissedAt timestamp and a dismissedReason, but it still remains in the OPEN state. Dismissing doesn’t automatically re-evaluate or update the alert if later changes (like a dependency update) actually fix the vulnerability. For that I would need to reset all dismissed alerts and re-run. That is not practical.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[mplungjan]

Closed as outdated?
It's still a problem