# Dependabot alerts

Dependabot alerts help you find and fix vulnerable dependencies before they become security risks.

Software often relies on packages from various sources, creating dependency relationships that can unknowingly introduce security vulnerabilities. When your code depends on packages with known security vulnerabilities, you become a target for attackers seeking to exploit your system—potentially gaining access to your code, data, customers, or contributors. Dependabot alerts notify you about vulnerable dependencies so you can upgrade to secure versions and protect your project.

## When Dependabot sends alerts

Dependabot scans your repository's default branch and sends alerts when:

* New advisory data is synchronized to GitHub each hour from GitHub.com. 자세한 내용은 [GitHub Advisory Database에서 보안 권고 탐색](/ko/enterprise-server@3.17/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database)을(를) 참조하세요.
* Your dependency graph changes—for example, when you push commits that update packages or versions

For supported ecosystems, see [종속성 그래프에서 지원되는 패키지 에코시스템](/ko/enterprise-server@3.17/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems).

## Understanding alerts

When GitHub detects a vulnerable dependency, a Dependabot alert appears on the repository's **<svg version="1.1" width="16" height="16" viewBox="0 0 16 16" class="octicon octicon-shield" aria-label="shield" role="img"><path d="M7.467.133a1.748 1.748 0 0 1 1.066 0l5.25 1.68A1.75 1.75 0 0 1 15 3.48V7c0 1.566-.32 3.182-1.303 4.682-.983 1.498-2.585 2.813-5.032 3.855a1.697 1.697 0 0 1-1.33 0c-2.447-1.042-4.049-2.357-5.032-3.855C1.32 10.182 1 8.566 1 7V3.48a1.75 1.75 0 0 1 1.217-1.667Zm.61 1.429a.25.25 0 0 0-.153 0l-5.25 1.68a.25.25 0 0 0-.174.238V7c0 1.358.275 2.666 1.057 3.86.784 1.194 2.121 2.34 4.366 3.297a.196.196 0 0 0 .154 0c2.245-.956 3.582-2.104 4.366-3.298C13.225 9.666 13.5 8.36 13.5 7V3.48a.251.251 0 0 0-.174-.237l-5.25-1.68ZM8.75 4.75v3a.75.75 0 0 1-1.5 0v-3a.75.75 0 0 1 1.5 0ZM9 10.5a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path></svg> Security** tab and dependency graph. Each alert includes:

* A link to the affected file
* Details about the vulnerability and its severity
* Information about a fixed version (when available)

For information about viewing and managing alerts, see [Dependabot 경고 보기 및 업데이트](/ko/enterprise-server@3.17/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts).

## Who can enable alerts?

Repository administrators and organization owners can enable Dependabot alerts for their repositories. When enabled, GitHub immediately generates the dependency graph and creates alerts for any vulnerable dependencies it identifies.

이 기능을 사용하려면 먼저 엔터프라이즈 소유자가 Dependabot alerts에 대한 GitHub Enterprise Server 인스턴스를 활성화해야 합니다. 자세한 내용은 [엔터프라이즈에 Dependabot 사용](/ko/enterprise-server@3.17/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)을(를) 참조하세요.

See [Dependabot 경고 구성](/ko/enterprise-server@3.17/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts).

## How alert notifications work

By default, GitHub sends email notifications about new alerts to people who both:

* Have write, maintain, or admin permissions to a repository
* Are watching the repository and have enabled notifications for security alerts or for all activity on the repository

Regardless of your notification preferences, when Dependabot is first enabled, GitHub does not send notifications for all vulnerable dependencies found in your repository. Instead, you will receive notifications for new vulnerable dependencies identified after Dependabot is enabled, if your notification preferences allow it.

If you are concerned about receiving too many notifications, we recommend leveraging Dependabot 자동 심사 규칙 to auto-dismiss low-risk alerts. Rules are applied before alert notifications are sent, so alerts that are auto-dismissed upon creation do not send notifications. See [Dependabot 자동 분류 규칙](/ko/enterprise-server@3.17/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules).

Alternatively, you can opt into the weekly email digest, or even completely turn off notifications while keeping Dependabot alerts enabled.

## Limitations

Dependabot alerts have some limitations:

* Alerts can't catch every security issue. Always review your dependencies and keep manifest and lock files up to date for accurate detection.
* New vulnerabilities may take time to appear in the GitHub Advisory Database and trigger alerts.
* Only advisories reviewed by GitHub trigger alerts.
* Dependabot doesn't scan archived repositories.
* Dependabot doesn't generate alerts for malware.
* GitHub Actions의 경우 SHA 버전 관리가 아닌 의미 체계 버전 관리 작업을 사용하는 작업에 대해서만 경고가 생성됩니다.

## Further reading

* [Dependabot 경고 보기 및 업데이트](/ko/enterprise-server@3.17/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)
* [Dependabot 보안 업데이트](/ko/enterprise-server@3.17/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)
* [보안 경고 감사](/ko/enterprise-server@3.17/code-security/getting-started/auditing-security-alerts)