[REST] Get a diff of the dependencies between commits doesn't mention you have to enable it

[jsoref]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/rest/dependency-graph/dependency-review?apiVersion=2022-11-28#get-a-diff-of-the-dependencies-between-commits

What part(s) of the article would you like to see updated?

The content should explain that you might have to enable the feature and if so under what conditions.

Additional information

https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review
claims:

Dependency review is enabled on public repositories. Dependency review is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security. For more information, see "About GitHub Advanced Security."

This appears to be at best misleading.

% curl -s -S https://":$GH_TOKEN"@api.github.com/repos/actions/dependency-review-action/dependency-graph/compare/3e6e055a2667e41051d1e7c2ab239bfba84d652f...d8b4cd80d50fc9d67a9f771c7dd5c2eb76d6d608 | head -5
[
  {
    "change_type": "added",
    "manifest": "package-lock.json",
    "ecosystem": "npm",
% curl -s -S https://":$GH_TOKEN"@api.github.com/repos/jsoref/dependency-review-action/dependency-graph/compare/3e6e055a2667e41051d1e7c2ab239bfba84d652f...d8b4cd80d50fc9d67a9f771c7dd5c2eb76d6d608 | head -5
{
  "message": "Forbidden",
  "documentation_url": "https://docs.github.com/rest"
}

https://github.com/jsoref/dependency-review-action/network/dependencies

I have no idea if it's disabled because it's a fork or because of an org policy or .... The repository is a public fork of a public repository.

[cmwilson21]

👋 @jsoref Thanks for opening an issue and providing the details and screenshots!

I'll get this triaged for review 👀

[jsoref]

The https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review text should probably change:

-Dependency review is enabled on public repositories.
+Dependency review is available on public repositories.
 Dependency review is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security.

[kyanny]

I noticed that GHAS needs to be enabled for the repo to call Get a diff of the dependencies between commits REST API.

❯ gh api /repos/kyanny-corp-enterprise-cloud-testing/testrepo | jq '.security_and_analysis'
{
  "advanced_security": {
    "status": "enabled"   <--- GHAS is enabled
  },
  "secret_scanning": {
    "status": "disabled"
  },
  "secret_scanning_push_protection": {
    "status": "disabled"
  }
}

❯ gh api /repos/kyanny-corp-enterprise-cloud-testing/testrepo/dependency-graph/compare/main...kyanny-patch-11
[]

❯ gh api /repos/kyanny-corp-enterprise-cloud-testing/testrepo | jq '.security_and_analysis'
{
  "advanced_security": {
    "status": "disabled"   <--- GHAS is disabled
  },
  "secret_scanning": {
    "status": "disabled"
  },
  "secret_scanning_push_protection": {
    "status": "disabled"
  }
}

❯ gh api /repos/kyanny-corp-enterprise-cloud-testing/testrepo/dependency-graph/compare/main...kyanny-patch-11
{
  "message": "Forbidden",
  "documentation_url": "https://docs.github.com/rest"
}
gh: Forbidden (HTTP 403)

It would be great if we can make it clear, too.

[docubot]

Thank you for opening this issue! Updates to the REST/GraphQL API description must be made internally. I have copied your issue to an internal issue, so I will close this issue.