GitHub, can we please get "is:bot"?

tl;dr - GitHub's search functionality struggles with filtering out automated bot results, causing a significant amount of noise in search results.

Back in 2021 I reported CVE-2021-22881, which was an open redirection exploit for Ruby on Rails (Rails) that allowed malicious actors to get legitimate sites to redirect to their own. In hindsight, I made a couple of mistakes when I reported this; I used my GitHub username, tktech, as the reporter, and I used my personal domain, tkte.ch, in the exploit example.

Not an issue at the time, but since then a multitude of bots have appeared on GitHub to automate dependency updates like renovate, mend, pull, and dependabot.

These bots periodically create automated pull requests to update dependencies for the repositories they're installed on. This is a fantastic feature that saves maintainers a lot of time and effort. The problem is that these bots are indexed by GitHub's search engine.

They're not hard to identify - in search results, [bot] is appended to the username ([ not being a valid character in a regular username). When viewing the PR or issue, a visually distinct bot badge is displayed next to the bot's name. This is great! It means GitHub already knows these are bots at the time they're indexed.

Flash forward to 2024. I'm searching for tktech in GitHub's search trying to find out why a repository is suddenly getting so much referral traffic from GitHub.com. Amazingly, there are 4.4k results for tktech under pull requests. I'm flattered, but I know I'm not that popular. Over 90% of these are automated dependency PRs from the aforementioned bots updating Rails projects that have been long abandoned. Since the Rails changelog that fixes the CVE-2021-22881 exploit attributes me by my GitHub username with a leading @, every single one of these links to me. This is an astonishing amount of noise to sift through. There is no situation where I would want to see these results, and they continue multiply every week.

GitHub, can we please get an is:bot search filter? I would love to be able to exclude these results from my searches. I'm sure I'm not the only one.

In the meantime, we can resort to using a negation filter to exclude these results:

tktech -author:mend-for-github-com[bot] -author:renovate-bot -author:dependabot[bot] -author:pull[bot] -author:renovate[bot]