Artifact Storage Record API in partnership with JFrog [public preview] #18694 (#57404)

tinaheidinger · subatoi · mchammer01 · web-flow · commit 70547176ea92 · 2025-09-08T17:45:33.000Z
Co-authored-by: Ben Ahmady &lt;32935794+subatoi@users.noreply.github.com&gt;
Co-authored-by: mc &lt;42146119+mchammer01@users.noreply.github.com&gt;
Co-authored-by: Meredith Lancaster &lt;malancas@users.noreply.github.com&gt;
diff --git a/content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/index.md b/content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/index.md
@@ -12,6 +12,7 @@ topics:
 children:
   - /about-your-exposure-to-vulnerable-dependencies
   - /prioritizing-dependabot-alerts-using-metrics
+  - /prioritizing-dependabot-alerts-using-production-context
 redirect_from:
   - /code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilites
 ---
diff --git a/content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/prioritizing-dependabot-alerts-using-production-context.md b/content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/prioritizing-dependabot-alerts-using-production-context.md
@@ -0,0 +1,60 @@
+---
+title: Prioritizing Dependabot alerts using production context
+shortTitle: Dependabot production context
+intro: 'You can focus remediation on real risk by prioritizing {% data variables.product.prodname_dependabot_alerts %} for artifacts actually present in production, using metadata from external registries like JFrog Artifactory or your own CI/CD workflows.'
+product: '{% data reusables.gated-features.dependabot-alerts %}'
+versions:
+  fpt: '*'
+  ghec: '*'
+type: how_to
+topics:
+  - Code Security
+  - Dependabot
+  - Organizations
+  - Security
+---
+
+> [!NOTE] Production context is in {% data variables.release-phases.public_preview %} and subject to change.
+
+## Prioritizing {% data variables.product.prodname_dependabot_alerts %} using production context
+
+Application Security (AppSec) managers are often overwhelmed by a high volume of {% data variables.product.prodname_dependabot_alerts %}, many of which may not represent real risk because the affected code never makes it to production. By associating production context with your alerts, you can filter and prioritize vulnerabilities that impact artifacts actually approved for production environments. This enables your team to focus remediation efforts on the vulnerabilities that matter most, reducing noise and improving your security posture.
+
+## Associating production context with {% data variables.product.prodname_dependabot_alerts %}
+
+{% data variables.product.github %} enables production context for your {% data variables.product.prodname_dependabot_alerts %} by providing a Storage Record API. This API allows package registries or GitOps workflows to send artifact lifecycle data to {% data variables.product.github %}. The API should be called whenever an artifact is promoted to a production-approved package repository.
+
+{% data variables.product.github %} processes this metadata and uses it to power new alert filters, such as `artifact-registry-url` and `artifact-registry`. For more information, see [Create artifact metadata storage record](/rest/orgs/artifact-metadata?apiVersion=2022-11-28#create-artifact-metadata-storage-record) in the REST API documentation.
+
+## Steps to prioritize alerts
+
+Follow these steps to enable and use production context for alert prioritization:
+
+### Step 1: Detect and report production artifact promotions
+
+In your CI/CD or GitOps workflow, whenever an artifact is promoted to a production-approved package repository, call the Storage Record API to to send the artifact's metadata to {% data variables.product.github %}. This includes information such as the artifact's registry, repository, and version. See [AUTOTITLE](/rest/orgs/artifact-metadata?apiVersion=2022-11-28#create-artifact-metadata-storage-record).
+
+If you use JFrog Artifactory, you do not need to perform any custom integration. Artifactory natively integrates with the Storage Record API. You only need to enable the integration in your Artifactory settings, and Artifactory will automatically emit production promotion events to {% data variables.product.github %}.
+
+The `artifact-registry:jfrog-artifactory` filter will work out of the box with no further setup in {% data variables.product.github %}. For setup instructions, see [JFrog and GitHub Integration: JFrog for [{% data variables.product.github %} {% data variables.product.prodname_dependabot %}]](https://jfrog.com/help/r/jfrog-and-github-integration-guide/jfrog-for-github-dependabot) in the JFrog documentation.
+
+### Step 2: Use production context filters
+
+{% data reusables.dependabot.where-to-view-dependabot-alerts %}. For information about accessing this tab, see [Viewing {% data variables.product.prodname_dependabot_alerts %}](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#viewing-dependabot-alerts).
+
+Once the alert list is displayed, use the `artifact-registry-url` or `artifact-registry` filters to focus on vulnerabilities affecting artifacts present in production. For example:
+
+```text
+artifact-registry-url:my-registry.example.com
+artifact-registry:jfrog-artifactory
+```
+
+You can also combine these with other filters, such as EPSS.
+
+```text
+epss > 0.5 AND artifact-registry-url:my-registry.example.com
+```
+
+## Further reading
+
+* [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/prioritizing-dependabot-alerts-using-metrics)
diff --git a/data/reusables/dependabot/dependabot-alerts-filters.md b/data/reusables/dependabot/dependabot-alerts-filters.md
@@ -2,6 +2,10 @@ You can sort and filter {% data variables.product.prodname_dependabot_alerts %}
 
 | Option | Description | Example |
 |:---|:---|:---|
+| {% ifversion fpt or ghec %} |
+| `artifact-registry` | Displays alerts only for dependencies that have been promoted to production in the specified repository manager.| `artifact-registry:jfrog-artifactory` will show any alerts alerts for dependencies that have been promoted to production in JFrog Artifactory. |
+| `artifact-registry-url` | Displays alerts related to artifacts present in a production-approved registry URL. | `artifact-registry-url:my-registry.example.com` will show any alerts for vulnerabilities affecting artifacts stored in the `my-registry.example.com` registry URL. |
+| {% endif %} |
 | `CVE-ID`| Displays alerts associated with this `CVE-ID` | `CVE-2020-28482` will show any alerts whose underlying advisory has this CVE ID number. |
 | `ecosystem` | Displays alerts for the selected ecosystem | Use `ecosystem:npm` to show {% data variables.product.prodname_dependabot_alerts %} for npm |
 | `GHSA-ID`| Displays alerts associated with this `GHSA-ID` | `GHSA-49wp-qq6x-g2rf` will show any alerts whose underlying advisory has this {% data variables.product.prodname_advisory_database %} ID. |
