Feature Request:Could it be possible that once the alerts on dependabot is closed, Jira ticket also closes automatically .

[Shweta4398]

Hello Team,

I am reaching out to you regarding a new issue that we have encountered. Actually , we wanted a way where-in when the dependabot alerts get closed from the security tab in GHAS automatically the Jira tickets which is created using dependabot-workflow should also be closed.

Can you please help us with it.

Thanks,
Shweta.

[xendk]

Would be a nice feature, but it depends on your workflow. In our case, it would be more handy if handling the Jira ticket would close the Dependabot alert as we handle the issues in Jira.

We have no current plans to implement something along these lines, but PRs are welcome.

[markstos]

@xendk Does it work now that closing the Jira issue closes the dependabot issue? I didnt' see that feature mentioned in the README.

[xendk]

@markstos No, I was just thinking it would be handier for us than the other way around as suggested by the OP.

[markstos]

If there's no two-way connection, then doesn't this tool cause double the items to track-- all the alerts exist both dependabot and Jira? Or is the idea that you just ignore the dependabot alerts piling up, or manually delete them periodically?

[xendk]

Dependabot closes its issues when the issue is fixed. So if you close the issue in Jira when you've dealt with it, then the dependabot listing only contains the ones you've decided to ignore. Some might consider this a feature.

This tool was built because dependabot alerts was poorly dealt with. In some companies Jira issues has higher visibility (I'd love to have customers and project managers actively following Github security issues, but this is not the reality I'm living in).

[markstos]

@xendk Thanks for the explanation. My company also uses Jira and not Github issues, so it may also help us.