Export the Dependabot alerts as CSV file from a repo

This GitHub action helps to export the Dependabot alerts to a CSV file. One can define a workflow to run or triger based on specific event to capture all Dependabot alerts to a CSV file for further analysis.

GitHub Marketplace : https://github.com/marketplace/actions/dependabot-alert-export

Create a PAT token to get access to the Dependabot alerts. Pass this token as an input to the action - GITHUB_TOKEN

Include the dependabot-alert-export action in your workflow.

Following is the sample code for integrating this action with your workflow

steps:               
      - name: Export Dependabot alerts
        uses: ambilykk/[email protected]
        with:        
          GITHUB_TOKEN: ${{secrets.GH_TOKEN}}
          org_name: 'ORG_NAME'
          repo_name: 'REPO_NAME'
          csv_path: data/vulnerability.csv
          
      - name: Upload Vulnerability report
        uses: actions/upload-artifact@v3
        with:
           name: vulnerability_report
           path: data/vulnerability.csv          

Following fields are included in the Vulnerability Report

• Vulnerability Id
• Dependency Scope (DEVELOPMENT or RUNTIME)
• State (DISMISSED, FIXED or OPEN)
• Created At
• Manifest File Name
• Vulnerability Version Range
• Package Name
• GHSA Id (The ID of the vulnerability in the GitHub Security Advisory Database)
• Severity
• Summary
• Link
• Description
• Dismissed At (for Dismissed alerts)
• Dismiss Reason
• Dismiss Comment
• Fixed At (for Fixed alerts)
• Fix Reason

Vulnerability report in CSV format will be available as part of the build artifacts for download

The scripts and documentation in this project are released under the MIT License