Skip to main content

Overview

GitHub Dependabot automatically scans your repositories for vulnerable dependencies and creates alerts when vulnerabilities are detected. Through Backline’s GitHub integration, you can import these Dependabot alerts as SCA (Software Composition Analysis) vulnerabilities, enabling centralized remediation workflows alongside findings from other security scanners.

What You Can Do

With Dependabot scanning enabled, Backline can:
  • Automatically import SCA vulnerabilities from Dependabot alerts
  • Track vulnerabilities detected across your GitHub repositories
  • Create remediation workflows for imported vulnerabilities
  • Deduplicate findings across multiple repositories
  • Centralize security vulnerabilities from Dependabot with other scanners in one place

Prerequisites

Before enabling Dependabot scanning, ensure you have:
  • A connected GitHub integration in Backline
  • Dependabot Alerts enabled in your GitHub repository settings
  • The Backline GitHub App installed with access to the target repositories

Enabling Dependabot in GitHub

If Dependabot Alerts are not yet enabled for your repositories:
1

Open Repository Settings

In GitHub, navigate to your repository and click Settings.
2

Navigate to Security

In the left sidebar, click Code security and analysis.
3

Enable Dependabot Alerts

Find Dependabot alerts and click Enable to activate vulnerability scanning for the repository.
Organization owners can enable Dependabot Alerts for all repositories at the organization level through the organization’s security settings.

Enabling Dependabot Scan in Backline

1

Navigate to Integrations

In Backline, go to the Integration Hub from the main menu.
2

Open GitHub Configuration

Find the GitHub integration card and click Configure to open the integration details.
3

Go to Configuration Tab

In the integration modal, navigate to the Configuration tab.
4

Enable Dependabot Scan

Check the Enable Dependabot Scan checkbox to activate Dependabot alert ingestion.

How It Works

Once enabled, Backline will:
  1. Fetch Alerts: Periodically scan your GitHub repositories for Dependabot alerts
  2. Filter Relevant Issues: Import vulnerability alerts that contain CVE information
  3. Map to Repositories: Associate vulnerabilities with the correct repositories in your Backline workspace
  4. Track Detection Time: Preserve the original detection timestamp from Dependabot

Scan Schedule

After enabling Dependabot scanning, Backline automatically schedules periodic scans to fetch new vulnerability alerts. Vulnerabilities are kept up to date with regular synchronization.
The initial scan begins shortly after enabling the feature. You can view imported vulnerabilities in the Vulnerabilities section.

Troubleshooting

Missing Vulnerabilities

If expected vulnerabilities are not appearing:
  • Verify Dependabot Alerts are enabled in your GitHub repository settings
  • Ensure the Backline GitHub App has access to the repository
  • Check that the Enable Dependabot Scan option is checked in the GitHub integration configuration
  • Only vulnerabilities with CVE identifiers are imported

Repositories Not Scanned

If certain repositories are not being scanned:
  • Verify the repository is included in the Backline GitHub App installation
  • Check that Dependabot Alerts are enabled for that specific repository
  • Ensure the repository is not archived or disabled

GitHub Integration

Learn how to connect your GitHub repositories to Backline

Vulnerabilities Overview

Understand how Backline manages and prioritizes vulnerabilities