Skip to content

Comments

feat: write back to Dependabot when security findings are auto-dismissed#440

Merged
jeanduplessis merged 3 commits intomainfrom
jdp/dependabot-write-back
Feb 24, 2026
Merged

feat: write back to Dependabot when security findings are auto-dismissed#440
jeanduplessis merged 3 commits intomainfrom
jdp/dependabot-write-back

Conversation

@jeanduplessis
Copy link
Contributor

@jeanduplessis jeanduplessis commented Feb 22, 2026

Summary

  • When the security agent auto-dismisses a finding (via triage or sandbox analysis), also dismiss the corresponding Dependabot alert on GitHub via the API
  • Previously only manual dismissals wrote back to Dependabot; this extends writeback to maybeAutoDismissAnalysis and the bulk autoDismissEligibleFindings flow
  • Writeback is wrapped in error handling so GitHub API failures don't break the local auto-dismiss flow — errors are logged to Sentry but the dismissal still succeeds

Changes

  • auto-dismiss-service.ts: Added writebackDependabotDismissal (fetches finding + integration, calls dismissDependabotAlert) and safeWritebackDependabotDismissal (error-safe wrapper). Integrated into sandbox auto-dismiss, triage auto-dismiss, and bulk auto-dismiss paths.
  • auto-dismiss-service.test.ts: New test file covering writeback for sandbox/triage auto-dismiss, skip conditions (non-dependabot source, missing integration, invalid source_id, bad repo name), and resilience when GitHub API fails.

@kiloconnect
Copy link
Contributor

kiloconnect bot commented Feb 22, 2026

Code Review Summary

Status: No Issues Found | Recommendation: Merge

The PR adds Dependabot writeback functionality to the auto-dismiss service. When findings are auto-dismissed (via triage, sandbox, or bulk), the corresponding Dependabot alert on GitHub is also dismissed via the API.

Key observations:

  • writebackDependabotDismissal properly validates all preconditions (source type, alert number parsing, repo name format, installation ID) with early returns for each invalid state.
  • safeWritebackDependabotDismissal wraps the writeback in try/catch with Sentry error reporting, ensuring writeback failures are non-fatal.
  • The writeback is integrated into all three dismiss paths (sandbox, triage, bulk) consistently, always called after dismissFinding so a writeback failure cannot prevent local dismissal.
  • The previous review comment about misleading JSDoc has been addressed — the doc now correctly states the function may throw.
  • Tests cover the happy path, all skip conditions, both sandbox and triage auto-dismiss flows with writeback verification, disabled auto-dismiss, and error resilience when the Dependabot API fails.
Files Reviewed (2 files)
  • src/lib/security-agent/services/auto-dismiss-service.ts
  • src/lib/security-agent/services/auto-dismiss-service.test.ts

kiloconnect bot and others added 2 commits February 24, 2026 10:57
When the security agent auto-dismisses a finding (via triage or sandbox
analysis), also dismiss the corresponding Dependabot alert on GitHub.

Previously, only manual dismissals wrote back to Dependabot. This change
adds the same writeback to the auto-dismiss flow (maybeAutoDismissAnalysis)
and the bulk auto-dismiss flow (autoDismissEligibleFindings).

The writeback is wrapped in error handling so that a GitHub API failure
does not break the auto-dismiss flow — errors are logged to Sentry but
the local dismissal still succeeds.
@jeanduplessis jeanduplessis force-pushed the jdp/dependabot-write-back branch from 5b08274 to 8daba2f Compare February 24, 2026 08:58
Base automatically changed from jdp/security-agent-analysis-mode to main February 24, 2026 09:23
@jeanduplessis jeanduplessis merged commit e1f8968 into main Feb 24, 2026
12 checks passed
@jeanduplessis jeanduplessis deleted the jdp/dependabot-write-back branch February 24, 2026 10:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants