Skip to main content

Viewing and updating Dependabot alerts

If GitHub Enterprise Cloud discovers insecure dependencies in your project, you can view details on the Dependabot alerts tab of your repository. Then, you can update your project to resolve or dismiss the alert.

Who can use this feature

Repository administrators and organization owners can view and update dependencies, as well as users and teams with explicit access.

Your repository's Dependabot alerts tab lists all open and closed Dependabot alerts and corresponding Dependabot security updates. You can filter alerts by package, ecosystem, or manifest. You can sort the list of alerts, and you can click into specific alerts for more details. You can also dismiss or reopen alerts, either one by one or by selecting multiple alerts at once. For more information, see "About Dependabot alerts."

You can enable automatic security updates for any repository that uses Dependabot alerts and the dependency graph. For more information, see "About Dependabot security updates."

About updates for vulnerable dependencies in your repository

GitHub Enterprise Cloud generates Dependabot alerts when we detect that your codebase is using dependencies with known security risks. For repositories where Dependabot security updates are enabled, when GitHub Enterprise Cloud detects a vulnerable dependency in the default branch, Dependabot creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability.

Each Dependabot alert has a unique numeric identifier and the Dependabot alerts tab lists an alert for every detected vulnerability. Legacy Dependabot alerts grouped vulnerabilities by dependency and generated a single alert per dependency. If you navigate to a legacy Dependabot alert, you will be redirected to a Dependabot alerts tab filtered for that package.

You can filter and sort Dependabot alerts using a variety of filters and sort options available on the user interface. For more information, see "Prioritizing Dependabot alerts" below.

Prioritizing Dependabot alerts

GitHub helps you prioritize fixing Dependabot alerts. By default, Dependabot alerts are sorted by importance. The "Most important" sort order helps you prioritize which Dependabot alerts to focus on first. Alerts are ranked based on their potential impact, actionability, and relevance. Our prioritization calculation is constantly being improved and includes factors like CVSS score, dependency scope, and whether vulnerable function calls are found for the alert.

Screenshot of Sort dropdown with "Most important" sort

You can sort and filter Dependabot alerts by typing filters as key:value pairs into the search bar.

OptionDescriptionExample
ecosystemDisplays alerts for the selected ecosystemUse ecosystem:npm to show Dependabot alerts for npm
hasDisplays alerts meeting the selected filter criteriaUse has:patch to show alerts related to advisories that have a patch
Use has:vulnerable-calls to show alerts relating to calls to vulnerable functions
isDisplays alerts based on their stateUse is:open to show open alerts
manifestDisplays alerts for the selected manifestUse manifest:webwolf/pom.xml to show alerts on the pom.xml file of the webwolf application
packageDisplays alerts for the selected packageUse package:django to show alerts for django
resolutionDisplays alerts of the selected resolution statusUse resolution:no-bandwidth to show alerts previously parked due to lack of resources or time to fix them
repoDisplays alerts based on the repository they relate to
Note that this filter is only available on the security overview. For more information, see "About the security overview"
Use repo:octocat-repo to show alerts in the repository called octocat-repo
scopeDisplays alerts based on the scope of the dependency they relate toUse scope:development to show alerts for dependencies that are only used during development
severityDisplays alerts based on their level of severityUse severity:high to show alerts with a severity of High
sortDisplays alerts according to the selected sort orderThe default sorting option for alerts is sort:most-important, which ranks alerts by importance
Use sort:newest to show the latest alerts reported by Dependabot

In addition to the filters available via the search bar, you can sort and filter Dependabot alerts using the dropdown menus at the top of the alert list. The search bar also allows for full text searching of alerts and related security advisories. You can search for part of a security advisory name or description to return the alerts in your repository that relate to that security advisory. For example, searching for yaml.load() API could execute arbitrary code will return Dependabot alerts linked to "PyYAML insecurely deserializes YAML strings leading to arbitrary code execution" as the search string appears in the advisory description.

Screenshot of the filter and sort menus in the Dependabot alerts tab

Supported ecosystems and manifests for dependency scope

下表总结了各种生态系统和清单是否支持依赖项范围,即 Dependabot 是否可以识别依赖项用于开发还是生产。

语言生态系统清单文件支持依赖项范围
GoGo 模块go.mod否,默认为运行时
GoGo 模块go.sum否,默认为运行时
JavaMavenpom.xmltest 映射到开发,否则范围默认为运行时
Javascriptnpmpackage.json
Javascriptnpmpackage-lock.json
JavaScriptyarn v1yarn.lock否,默认为运行时
PHP编辑器composer.json
PHP编辑器composer.lock
Python诗歌poetry.lock
Python诗歌pyproject.toml
Pythonpiprequirements.txt✔ 如果文件名包含 testdev,范围则为开发,否则为运行时
Pythonpippipfile.lock
Pythonpippipfile
RubyRubyGemsGemfile
RubyRubyGemsGemfile.lock否,默认为运行时
RustCargoCargo.toml
RustCargoCargo.lock否,默认为运行时
YAMLGitHub 操作-否,默认为运行时
.NET(C#、F# 和 VB 等)NuGet.csproj / .vbproj .vcxproj / .fsproj否,默认为运行时
.NETNuGetpackages.config否,默认为运行时
.NETNuGet.nuspec✔ 当标记 != runtime 时

Alerts for packages listed as development dependencies are marked with the Development label on the Dependabot alerts page and are also available for filtering via the scope filter.

Screenshot showing the "Development" label in the list of alerts

The alert details page of alerts on development-scoped packages shows a "Tags" section containing a Development label.

Screenshot showing the "Tags" section in the alert details page

About the detection of calls to vulnerable functions

注意:

  • 通过 Dependabot 检测对易受攻击函数的调用处于 beta 测试阶段,可能会发生变化。

  • Detection of vulnerable calls is included in GitHub Enterprise Cloud for public repositories. To detect vulnerable calls in private repositories owned by organizations, your organization must have a license for GitHub Advanced Security. 有关详细信息,请参阅“关于 GitHub Advanced Security”。

When Dependabot tells you that your repository uses a vulnerable dependency, you need to determine what the vulnerable functions are and check whether you are using them. Once you have this information, then you can determine how urgently you need to upgrade to a secure version of the dependency.

For supported languages, Dependabot automatically detects whether you use a vulnerable function and adds the label "Vulnerable call" to affected alerts. You can use this information in the Dependabot alerts view to triage and prioritize remediation work more effectively.

Note: During the beta release, this feature is available only for new Python advisories created after April 14, 2022, and for a subset of historical Python advisories. GitHub is working to backfill data across additional historical Python advisories, which are added on a rolling basis. Vulnerable calls are highlighted only on the Dependabot alerts pages.

Screenshot showing an alert with the "Vulnerable call" label

You can filter the view to show only alerts where Dependabot detected at least one call to a vulnerable function using the has:vulnerable-calls filter in the search field.

For alerts where vulnerable calls are detected, the alert details page shows additional information:

  • One or more code blocks showing where the function is used.
  • An annotation listing the function itself, with a link to the line where the function is called.

Screenshot showing the alert details page for an alert with a "Vulnerable call" label

For more information, see "Reviewing and fixing alerts" below.

Viewing Dependabot alerts

  1. 在 GitHub.com 上,导航到存储库的主页。
  2. 在存储库名称下,单击“安全性”。 “安全”选项卡
  3. 在安全侧边栏中,单击“Dependabot alerts”。 如果缺少此选项,则表示你无权访问安全警报,需要被授予访问权限。 有关详细信息,请参阅“管理存储库的安全性和分析设置”。 Dependabot alerts tab
  4. Optionally, to filter alerts, select a filter in a dropdown menu then click the filter that you would like to apply. You can also type filters into the search bar. For more information about filtering and sorting alerts, see "Prioritizing Dependabot alerts." Screenshot of the filter and sort menus in the Dependabot alerts tab
  5. Click the alert that you would like to view. Alert selected in list of alerts

Reviewing and fixing alerts

It’s important to ensure that all of your dependencies are clean of any security weaknesses. When Dependabot discovers vulnerabilities or malware in your dependencies, you should assess your project’s level of exposure and determine what remediation steps to take to secure your application.

If a patched version of the dependency is available, you can generate a Dependabot pull request to update this dependency directly from a Dependabot alert. If you have Dependabot security updates enabled, the pull request may be linked will in the Dependabot alert.

In cases where a patched version is not available, or you can’t update to the secure version, Dependabot shares additional information to help you determine next steps. When you click through to view a Dependabot alert, you can see the full details of the security advisory for the dependency including the affected functions. You can then check whether your code calls the impacted functions. This information can help you further assess your risk level, and determine workarounds or if you’re able to accept the risk represented by the security advisory.

For supported languages, Dependabot detects calls to vulnerable functions for you. When you view an alert labeled as "Vulnerable call", the details include the name of the function and a link to the code that calls it. Often you will be able to take decisions based on this information, without exploring further.

Fixing vulnerable dependencies

  1. View the details for an alert. For more information, see "Viewing Dependabot alerts" (above).

  2. If you have Dependabot security updates enabled, there may be a link to a pull request that will fix the dependency. Alternatively, you can click Create Dependabot security update at the top of the alert details page to create a pull request. Create Dependabot security update button

  3. Optionally, if you do not use Dependabot security updates, you can use the information on the page to decide which version of the dependency to upgrade to and create a pull request to update the dependency to a secure version.

  4. When you're ready to update your dependency and resolve the vulnerability, merge the pull request.

    Each pull request raised by Dependabot includes information on commands you can use to control Dependabot. For more information, see "Managing pull requests for dependency updates."

Dismissing Dependabot alerts

Tip: You can only dismiss open alerts.

If you schedule extensive work to upgrade a dependency, or decide that an alert does not need to be fixed, you can dismiss the alert. Dismissing alerts that you have already assessed makes it easier to triage new alerts as they appear.

  1. View the details for an alert. For more information, see "Viewing vulnerable dependencies" (above).
  2. Select the "Dismiss" dropdown, and click a reason for dismissing the alert. Unfixed dismissed alerts can be reopened later.
  3. Optionally, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can retrieve or set a comment by using the GraphQL API. The comment is contained in the dismissComment field. For more information, see "Dependabot alerts" in the GraphQL API documentation. Screenshot showing how to dismiss an alert via the "Dismiss" drop-down, with the option to add a dismissal comment
  4. Click Dismiss alert.

Dismissing multiple alerts at once

  1. View the open Dependabot alerts. For more information, see "Viewing Dependabot alerts".
  2. Optionally, filter the list of alerts by selecting a dropdown menu, then clicking the filter that you would like to apply. You can also type filters into the search bar.
  3. To the left of each alert title, select the alerts that you want to dismiss. Screenshot of open alerts with checkboxes emphasized
  4. Optionally, at the top of the list of alerts, select all alerts on the page. Screenshot of all open alerts selected
  5. Select the "Dismiss alerts" dropdown, and click a reason for dismissing the alerts. Screenshot of open alerts page with "Dismiss alerts" drop-down emphasized

Viewing and updating closed alerts

You can view all open alerts, and you can reopen alerts that have been previously dismissed. Closed alerts that have already been fixed cannot be reopened.

  1. 在 GitHub.com 上,导航到存储库的主页。

  2. 在存储库名称下,单击“安全性”。 “安全”选项卡

  3. 在安全侧边栏中,单击“Dependabot alerts”。 如果缺少此选项,则表示你无权访问安全警报,需要被授予访问权限。 有关详细信息,请参阅“管理存储库的安全性和分析设置”。 Dependabot alerts tab

  4. To just view closed alerts, click Closed. Screenshot showing the "Closed" option

  5. Click the alert that you would like to view or update. Screenshot showing a highlighted dependabot alert

  6. Optionally, if the alert was dismissed and you wish to reopen it, click Reopen. Alerts that have already been fixed cannot be reopened.

    Screenshot showing the "Reopen" button

Reopening multiple alerts at once

  1. View the closed Dependabot alerts. For more information, see "Viewing and updating closed alerts" (above).
  2. To the left of each alert title, select the alerts that you want to reopen. Screenshot of closed alerts with checkboxes emphasized
  3. Optionally, at the top of the list of alerts, select all closed alerts on the page. Screenshot of closed alerts with all alerts selected
  4. Click Reopen to reopen the alerts. Alerts that have already been fixed cannot be reopened. Screenshot of closed alerts with "Reopen" button emphasized