Filter by or view branch that dependabot alerts are discovered on

[jknackCW]

Is there an existing issue for this?

• I have searched the existing issues

Feature description

We are looking to set up dependabot scanning on multiple branches in our repository. This has worked great, but when we look at the dependabot alerts, it's not apparent which branch the alert was generated from. We'd like to see that, or possibly be able to add a label to each of the configurations in the dependabot.yml file so we can identify which branch generated the alert from the alerts list.

[carogalvin]

@jknackCW I'm a little confused, because Dependabot alerts does not support scanning more than the default branch. When you say "alert," do you mean security alert, or pull request? (Dependabot version updates supports multiple branches, but security updates and alerts do not.) What is your configuration?

See:

• Security updates ignoring target-branch configuration #2767

[jknackCW]

@carogalvin, thank you for sharing the link to that issue thread. This clarifies and corrects our understanding of what we thought we were seeing.

We're trying to monitor what alerts have been resolved by engineering (develop branch) and what alerts have been deployed to production (main branch). If possible we'd like to capture alerts for both of those and allow our DevSecOps to report based on what is currently in production (main) and for engineering to work off reports based on develop so we know what we've resolved.

[carogalvin]

@jknackCW thank you for that context!