# Automatic Dependabot access to GitHub-hosted registries

Keep your private dependencies up to date reliably by granting Dependabot automatic access to GitHub Packages and Container registry, so you never need to create or rotate credentials for these registries.

## About automatic access to GitHub-hosted registries

Dependabot can authenticate to private GitHub Packages and Container registry packages using the same access grants that GitHub Actions workflows use. If a package has granted your repository **Read** access in the package settings on GitHub, Dependabot can access that package automatically.

This eliminates the need to:

* Create and manage personal access tokens for registry access
* Manually configure access to GitHub-hosted registries in your `dependabot.yml` file
* Rotate credentials when tokens expire

## How automatic access works

Dependabot uses its `GITHUB_TOKEN` to request `packages: read` permission when pulling from `*.pkg.github.com` and `ghcr.io`. Any package that has granted your repository access through "Manage Actions access" accepts this token, the same way it would for a regular GitHub Actions workflow. See [패키지의 액세스 제어 및 표시 여부 구성](/ko/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#ensuring-workflow-access-to-your-package).git s

This works for every GitHub Packages ecosystem that Dependabot supports.

## When to use automatic access

Use automatic access to GitHub-hosted registries when:

* Your repositories depend on private packages stored in GitHub Packages or Container registry.
* You want to reduce credential management overhead.
* You want to avoid silent update failures caused by expired personal access tokens.

For third-party registries (such as Artifactory, Azure Artifacts, or Nexus), you can only use the `dependabot.yml` registry configuration or organization-level private registry settings. See [Dependabot에 대한 개인 레지스트리 액세스 구성](/ko/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot).

## How to enable automatic access

For each package that Dependabot needs to read, you need to go to the package's settings page and add the repository that runs Dependabot with **Read** access. See [Dependabot에 대한 개인 레지스트리 액세스 구성](/ko/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#configuring-private-github-hosted-registries).

Once the repository has been granted access, Dependabot can pull from that package automatically. You do not need to configure the `dependabot.yml` file, and you can remove any existing personal access token-based registry entries you previously added for these packages.

For more information about configuring package access, see [패키지의 액세스 제어 및 표시 여부 구성](/ko/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#ensuring-workflow-access-to-your-package).