Does a Rest API endpoint exist for enabling the dependency graph on a per repo basis?

[dev-james-ev]

Select Topic Area

Question

Body

I'm trying to enable the dependency graph on a per repo basis, rather then at a global org or enterprise level. I can't seem to see it in the repo settings when I call https://api.github.com/repos/{user}/{repo}/ is this not possible via the rest API? Thanks!

[julienborgeon]

Hi!

You can enable the dependency graph on a per-repo basis, but it's not exposed as a field on GET /repos/{owner}/{repo}.
GitHub wires this through the vulnerability alerts API (enabling vulnerability alerts for a repo also enables the dependency graph for that repo).

You can do it via REST with something like:

curl -L \
  -X PUT \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR_TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/repos/OWNER/REPO/vulnerability-alerts

This requires admin permissions on the repo and a token with Administration (write) rights.
To disable it again, simply use DELETE /repos/{owner}/{repo}/vulnerability-alerts.

One caveat: if your org or enterprise has dependency graph / security and analysis disabled at the org level, you won’t be able to override that per-repo (you'd need an org/enterprise admin to change the global settings first).

Hope that clears it up! 😊

[dev-james-ev]

Hi, Thanks for the quick answer, this does turn on the dependency graph :D

One quick question, through the UI you can enable just the dependency graph and not the Dependabot alerts as well, I'm guessing there is no way to just enable the graph and not the alerts via the API?

[julienborgeon]

As far as I can tell, the REST API doesn't currently offer a separate switch for "dependency graph only." The only available endpoint is:

PUT /repos/{owner}/{repo}/vulnerability-alerts

And per the docs, that endpoint enables both the dependency graph and dependabot alerts together: https://docs.github.com/en/rest/repos/repos#enable-vulnerability-alerts

In the UI, you can enable the graph without alerts, but I haven't seen an API equivalent for that.

So for now, it looks like "graph only" is UI-only. If you need programmatic control, a feature request might be the way to go ?

[dev-james-ev]

It's not a huge issue, I'm looking at making a PR for PyGithub to handle dependency graph stuff and this was just an unknown on that thread. Thanks for your Help!

[julienborgeon]

You're welcome! Good luck with the PR 😊