[SOLVED] How can I check if Dependabot is enabled for a Repo using Github APIs?

How can I check if Dependabot is enabled for a Repo using Github APIs?

I've gone through Github Rest API v3 and Github GraphQL API v4 but I'm unable to find a resource/endpoint to check if dependabot is enabled via the API? I've gone through loads of documentation but was unable to find anything helpful. Could someone please point me to the correct document or tell me which resource to use? Thanks!

Solution

Now that Dependabot is merged into GitHub, there are three different features that can be enabled in addition to the dependency graph itself: two in the Security & analysis section of the settings, and the last in the Dependency graph section of the Insights tab of a given GitHub repo:

Dependabot alerts: will security alerts be generated?
Dependabot security updates: will pull requests be generated by the discovery of vulnerable dependencies?
Dependabot version updates: will pull requests be generated whenever a new version of a dependency becomes available?

(All require Dependency graph to also be enabled--and for a repo to have at least one supported package ecosystem file)

Checking if Dependabot alerts are enabled

According to the GitHub REST API Reference, you can check whether Dependabot alerts are enabled via the GitHub REST API at the following endpoint: https://api.github.com/repos/{owner}/{repo}/vulnerability-alerts

A 204 response confirms the feature is enabled, a 404 means it is not.

Checking if Dependabot security updates are enabled

Curiously, the GitHub REST API Reference lists requests to enable or disable the feature, but not to get the current status of the feature for a given repo, and I have not been able to satisfactorily find how to get that information from the REST or GraphQL API.

GuiFalourd's answer mentions using the GraphQL API to check for the presence of a .github/dependabot.yml file. Unfortunately that isn't a 1-to-1 relationship with security updates: the file could be present without security updates enabled, or could be absent when security updates are enabled. The dependabot.yml file is used for version updates, which is related but not the same thing.

You could always use the REST API enable security updates request to ensure the feature is on, but that is not at all the same as querying its current status for a repo. If anyone does discover a way to do this without page scraping, or if GitHub adds the ability to check in the future please let me know!

Checking if Dependabot version updates are enabled

Again, this is not the same as security updates, but depending on your policy/practices it may be a 1-to-1 relationship. Use something like the following against the Graph endpoint https://api.github.com/graphql

Query

{
    repository(name: "{repo}", owner: "{owner}") {
        object(expression: "HEAD:.github/") {
            ... on Tree {
                entries {
                    name
                }
            }
        }
    }
}

Response if file is present:

{
    "data": {
        "repository": {
            "object": {
                "entries": [
                    {
                        "name": "dependabot.yml"
                    }
                ]
            }
        }
    }
}

Response if file is not present:

{
    "data": {
        "repository": {
            "object": null
        }
    }
}