Configuring Dependabot alerts

Enable Dependabot alerts to be generated when a new vulnerable dependency is found in one of your repositories.

谁可以使用此功能?

  • 存储库管理员、组织所有者以及具有“写入”或“维护”访问权限的人员********
  • 具有显式访问权限的用户和团队。 请参阅授予对安全警报的访问权限

本文内容

About Dependabot alerts for vulnerable dependencies

漏洞是项目代码中的问题,可能被利用来损害机密性、完整性或者该项目或其他使用其代码的项目的可用性。 漏洞的类型、严重性和攻击方法各不相同。

Dependabot scans code when a new advisory is added to the GitHub Advisory Database or the dependency graph for a repository changes. When vulnerable dependencies are detected, Dependabot alerts are generated. For more information, see 关于 Dependabot 警报.

如果已启用存储库的 Dependabot security updates,警报中还会包含一个拉取请求链接,用于将清单或锁定文件更新到可解决该漏洞的最低版本。 有关详细信息,请参阅“关于 Dependabot 安全更新”。

You can enable or disable Dependabot alerts for:

  • Your personal account
  • Your repository
  • Your organization

此外,可以使用 Dependabot 自动分类规则 大规模管理警报,以便自动关闭或推迟警报,并指定希望 Dependabot 打开拉取请求的警报。 有关不同类型的自动会审规则以及仓库是否符合条件的信息,请参阅“关于 Dependabot 自动分类规则”。

Managing Dependabot alerts for your personal account

You can enable or disable Dependabot alerts for all repositories owned by your personal account.

Go to your security settings

Enabling or disabling Dependabot alerts for existing repositories

  1. Under "Advanced Security", to the right of Dependabot alerts, click Disable all or Enable all.
  2. Optionally, to enable Dependabot alerts by default for new repositories that you create, in the dialog box, select "Enable by default for new repositories".
  3. Click Disable Dependabot alerts or Enable Dependabot alerts to disable or enable Dependabot alerts for all the repositories you own.

When you enable Dependabot alerts for existing repositories, you will see any results displayed on GitHub within minutes.

Enabling or disabling Dependabot alerts for new repositories

  1. Under "Advanced Security", to the right of Dependabot alerts, select Automatically enable for new repositories.

Managing Dependabot alerts for your repository

You can manage Dependabot alerts for your public, private or internal repository.

By default, we notify people with write, maintain, or admin permissions in the affected repositories about new Dependabot alerts. GitHub never publicly discloses insecure dependencies for any repository. You can also make Dependabot alerts visible to additional people or teams working on repositories that you own or have admin permissions for.

如果启用了安全和分析功能,GitHub 将对存储库执行只读分析。

Enabling or disabling Dependabot alerts for a repository

  1. 在 GitHub 上,导航到存储库的主页面。

  2. 在仓库名称下,单击 “Settings”****。 如果看不到“设置”选项卡,请选择“”下拉菜单,然后单击“设置”。

    存储库标头的屏幕截图,其中显示了选项卡。 “设置”选项卡以深橙色边框突出显示。

  3. 在边栏的“Security”部分中,单击“ Advanced Security”****。

  4. Under "Advanced Security", to the right of Dependabot alerts, click Enable to enable alerts or Disable to disable alerts.

Managing Dependabot alerts for your organization

You can enable Dependabot alerts for all eligible repositories in your organization. For more information, see About enabling security features at scale.