Dependabot Findings coming to GitHub Integration

Impacted Integration


JupiterOne is preparing to add Dependabot Findings and vulnerabilities to the GitHub integration. This will allow you to query any findings that GitHub has discovered while scanning your repositories for vulnerabilities.

In order to import this data to your JupiterOne account, your GitHub admin will need to grant access to an additional permission. If that permission is not granted, the integration will continue to run as expected, but the new data will not be imported to your JupiterOne account.

What changes are coming?

The github_finding, cve and cwe entities will be added.

JupiterOne will ingest GitHub Dependabot Vulnerability Alerts and any associated CVE or CWEs. In order to ingest these entities, your Github Organization Administrator will need to accept JupiterOne’s additional permission request for read-only access to Dependabot alerts. Any previously unaccepted permissions will also need to be accepted to access Dependabot data.

The following new entities will be created:


Entity _type

Entity _class

GitHub Vulnerability Alerts









The following relationships will be created with these entities:

Source Entity _type

Relationship _class

Target Entity _type










Release Process

This release is a three-step process:

  1. Permissions Change: May 26 - Update the requested permissions in JupiterOne’s GitHub App. This change has already been made and GitHub Organization Admins should have received a notification about the requested permission already.

  2. Dependabot Findings Available by Request: May 31 - For customers who request this update, we will release a new version of the integration that will use the permission to ingest these new entities. This will be rolling out only to accounts that request this change. To request access to this update, please contact your customer success manager.

  3. Dependabot Findings Generally Available: Summer 2022 - We will roll out this change to all customers later this summer after validation with initial customers who have requested this access.

Permissions Request

GitHub will automatically send an email to your GitHub Organization Admins, an “Updated Permissions Request,” notifying them of the new permissions that need to be accepted in the JupiterOne GitHub app in order to ingest data for the github_finding, cve and cwe entities.

The new permissions requested are:

  • Dependabot alerts

If the admin does not grant the new permissions this data will not be imported to JupiterOne, but all other data will continue to be ingested as usual.

Ingesting findings and vulnerabilities may increase the amount of time needed for an integration job to complete. The polling interval may need to be adjusted to accommodate the longer run times.

Billable Assets Impact

Little to no impact: The github_finding is a non-billable entity. While cve, and cwe are billable entities, only one billable entity is created per CVE or CWE regardless of how many findings of a CVE or CWE there are.

To request access to this update, please contact your assigned Customer Success Engineer.

Additional Information

This Month's Leaders