in packages/repocop/src/query.ts [106:141]
async function getAlertsForRepo(
octokit: Octokit,
orgName: string,
repoName: string,
): Promise<Alert[] | undefined> {
const prefix = `${orgName}/`;
if (repoName.startsWith(prefix)) {
repoName = repoName.replace(prefix, '');
}
try {
const alert: DependabotVulnResponse =
await octokit.rest.dependabot.listAlertsForRepo({
owner: orgName,
repo: repoName,
per_page: 100,
severity: 'critical,high',
state: 'open',
sort: 'created',
direction: 'asc', //retrieve oldest vulnerabilities first
});
const openRuntimeDependencies = alert.data.filter(
(a) => a.dependency.scope !== 'development',
);
return openRuntimeDependencies;
} catch (error) {
console.debug(
`Dependabot - ${repoName}: Could not get alerts. Dependabot may not be enabled.`,
);
console.debug(error);
// Return undefined if dependabot is not enabled, to distinguish from
// the scenario where it is enabled, but there are no alerts
return undefined;
}
}