With the accelerated use of open source, most projects depend on hundreds of open-source dependencies. This poses a security problem: what if the dependencies you're using are vulnerable? You could be putting your users at risk of a supply chain attack. One of the most important things you can do to protect your supply chain is to patch your vulnerable dependencies and replace any malware.
You add dependencies directly to your supply chain when you specify them in a manifest file or a lockfile. Dependencies can also be included transitively, that is, even if you don’t specify a particular dependency, but a dependency of yours uses it, then you’re also dependent on that dependency.
GitHub offers a range of features to help you understand the dependencies in your environment, know about vulnerabilities in those dependencies, and patch them.
The supply chain features on GitHub are:
- Dependency graph
- Dependency review
- Dependabot 警报
- Dependabot 更新
- Dependabot 安全更新
- Dependabot 版本更新
The dependency graph is central to supply chain security. The dependency graph identifies all upstream dependencies and public downstream dependents of a repository or package. You can see your repository’s dependencies and some of their properties, like vulnerability information, on the dependency graph for the repository.
Other supply chain features on GitHub rely on the information provided by the dependency graph.
- Dependency review uses the dependency graph to identify dependency changes and help you understand the security impact of these changes when you review pull requests.
- Dependabot cross-references dependency data provided by the dependency graph with the list of advisories published in the GitHub Advisory Database, scans your dependencies and generates Dependabot 警报 when a potential vulnerability or malware is detected.
- Dependabot 安全更新 use the dependency graph and Dependabot 警报 to help you update dependencies with known vulnerabilities in your repository.
Dependabot 版本更新 don't use the dependency graph and rely on the semantic versioning of dependencies instead. Dependabot 版本更新 help you keep your dependencies updated, even when they don’t have any vulnerabilities.
For best practice guides on end-to-end supply chain security including the protection of personal accounts, code, and build processes, see "Securing your end-to-end supply chain."
To generate the dependency graph, GitHub looks at a repository’s explicit dependencies declared in the manifest and lockfiles. When enabled, the dependency graph automatically parses all known package manifest files in the repository, and uses this to construct a graph with known dependency names and versions.
- The dependency graph includes information on your direct dependencies and transitive dependencies.
- The dependency graph is automatically updated when you push a commit to GitHub that changes or adds a supported manifest or lock file to the default branch, and when anyone pushes a change to the repository of one of your dependencies.
- You can see the dependency graph by opening the repository's main page on GitHub, and navigating to the Insights tab.
Additionally, you can use the Dependency submission API (beta) to submit dependencies from the package manager or ecosystem of your choice, even if the ecosystem is not supported by dependency graph for manifest or lock file analysis. 依赖关系图将显示按生态系统分组的已提交依赖项，但与从清单或锁定文件解析的依赖项分开显示。 有关使用依赖项提交 API 的详细信息，请参阅“使用依赖项提交 API”。
For more information about the dependency graph, see "About the dependency graph."
Dependency review helps reviewers and contributors understand dependency changes and their security impact in every pull request.
- Dependency review tells you which dependencies were added, removed, or updated, in a pull request. You can use the release dates, popularity of dependencies, and vulnerability information to help you decide whether to accept the change.
- You can see the dependency review for a pull request by showing the rich diff on the Files Changed tab.
For more information about dependency review, see "About dependency review."
Dependabot keeps your dependencies up to date by informing you of any security vulnerabilities in your dependencies, and automatically opens pull requests to upgrade your dependencies to the next available secure version when a Dependabot alert is triggered, or to the latest version when a release is published.
The term "Dependabot" encompasses the following features:
- Dependabot 警报—Displayed notification on the Security tab for the repository, and in the repository's dependency graph. The alert includes a link to the affected file in the project, and information about a fixed version.
- Dependabot 更新:
- Dependabot 安全更新—Triggered updates to upgrade your dependencies to a secure version when an alert is triggered.
- Dependabot 版本更新—Scheduled updates to keep your dependencies up to date with the latest version.
Dependabot 警报 highlight repositories affected by a newly discovered vulnerability based on the dependency graph and the GitHub Advisory Database, which contains advisories for known vulnerabilities and malware.
Dependabot performs a scan to detect insecure dependencies and sends Dependabot 警报 when:
- A new advisory is added to the GitHub Advisory Database.
- The dependency graph for the repository changes.
Dependabot 警报 are displayed on the Security tab for the repository and in the repository's dependency graph. The alert includes a link to the affected file in the project, and information about a fixed version.
For more information, see "About Dependabot 警报."
There are two types of Dependabot 更新: Dependabot security updates and version updates. Dependabot generates automatic pull requests to update your dependencies in both cases, but there are several differences.
- Triggered by a Dependabot alert
- Update dependencies to the minimum version that resolves a known vulnerability
- Supported for ecosystems the dependency graph supports
- Does not require a configuration file, but you can use one to override the default behavior
- Requires a configuration file
- Run on a schedule you configure
- Update dependencies to the latest version that matches the configuration
- Supported for a different group of ecosystems
- Dependency graph—enabled by default and cannot be disabled.
- Dependency review—enabled by default and cannot be disabled.
- Dependabot 警报—not enabled by default. GitHub detects insecure dependencies and displays information in the dependency graph, but does not generate Dependabot 警报 by default. Repository owners or people with admin access can enable Dependabot 警报. You can also enable or disable Dependabot alerts for all repositories owned by your user account or organization. For more information, see "Managing security and analysis settings for your user account" or "Managing security and analysis settings for your organization."
Dependency graph—not enabled by default. The feature can be enabled by repository administrators. For more information, see "Exploring the dependencies of a repository."
Dependency review—available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security. For more information, see the GitHub Enterprise Cloud documentation.
Dependabot 警报—not enabled by default. Owners of private repositories, or people with admin access, can enable Dependabot 警报 by enabling the dependency graph and Dependabot 警报 for their repositories. You can also enable or disable Dependabot alerts for all repositories owned by your user account or organization. For more information, see "Managing security and analysis settings for your user account" or "Managing security and analysis settings for your organization."
Any repository type:
- Dependabot 安全更新—not enabled by default. You can enable Dependabot 安全更新 for any repository that uses Dependabot 警报 and the dependency graph. For information about enabling security updates, see "Configuring Dependabot 安全更新."
- Dependabot 版本更新—not enabled by default. People with write permissions to a repository can enable Dependabot 版本更新. For information about enabling version updates, see "Configuring Dependabot 版本更新."