Enabling the dependency graph and Dependabot alerts for your enterprise

You can allow users on your GitHub Enterprise Server instance to find and fix vulnerabilities in code dependencies by enabling the dependency graph and Dependabot 警报.

Enterprise owners who are also owners of the connected GitHub Enterprise Cloud organization or enterprise account can enable the dependency graph and Dependabot 警报 on your GitHub Enterprise Server instance.

关于 your GitHub Enterprise Server instance 上易受攻击的依赖项的警报

GitHub identifies vulnerable dependencies in repositories and creates Dependabot 警报 on your GitHub Enterprise Server instance, using:

  • Data from the GitHub Advisory Database
  • The dependency graph service

For more information about these features, see "About the dependency graph" and "About alerts for vulnerable dependencies."

About synchronization of data from the GitHub Advisory Database

我们从以下来源添加漏洞到 GitHub Advisory Database:

You can connect your GitHub Enterprise Server instance to GitHub Enterprise Cloud with GitHub Connect. Once connected, vulnerability data is synced from the GitHub Advisory Database to your instance once every hour. 您还可以随时选择手动同步漏洞数据。 代码和关于代码的信息不会从 your GitHub Enterprise Server instance 上传到 GitHub.com。

Only GitHub-reviewed advisories are synchronized. For more information about advisory data, see "Browsing security vulnerabilities in the GitHub Advisory Database" in the GitHub.com documentation.

About scanning of repositories with synchronized data from the GitHub Advisory Database

For repositories with Dependabot 警报 enabled, scanning is triggered on any push to the default branch that contains a manifest file or lock file. Additionally, when a new vulnerability record is added to the instance, GitHub Enterprise Server scans all existing repositories in that instance and generates alerts for any repository that is vulnerable. For more information, see "Detection of vulnerable dependencies."

About generation of Dependabot 警报

If you enable vulnerability detection, when your GitHub Enterprise Server instance receives information about a vulnerability, it identifies repositories in your instance that use the affected version of the dependency and generates Dependabot 警报. You can choose whether or not to notify users automatically about new Dependabot 警报.

Enabling the dependency graph and Dependabot 警报 for vulnerable dependencies on your GitHub Enterprise Server instance

基本要求

For your GitHub Enterprise Server instance to detect vulnerable dependencies and generate Dependabot 警报:

  • You must enable GitHub Connect. For more information, see "Managing GitHub Connect."
  • You must enable the dependency graph service.
  • You must enable vulnerability scanning.

启用依赖关系图

  1. 登录到 http(s)://HOSTNAME/login 上的 your GitHub Enterprise Server instance。

  2. 在管理 shell 中,启用 your GitHub Enterprise Server instance 上的依赖关系图:

    ghe-config app.github.dependency-graph-enabled true
    ghe-config app.github.vulnerability-alerting-and-settings-enabled true

    Note: For more information about enabling access to the administrative shell via SSH, see "Accessing the administrative shell (SSH)."

  3. 应用配置。

    $ ghe-config-apply
  4. 返回到 GitHub Enterprise Server。

启用 Dependabot 警报

在为您的实例启用 Dependabot 警报 之前,您需要启用依赖关系图。 更多信息请参阅上文。

  1. 在 GitHub Enterprise Server 的右上角,单击您的个人资料照片,然后单击 Enterprise settings(Enterprise 设置)GitHub Enterprise Server 上个人资料照片下拉菜单中的"Enterprise settings(企业设置)"

  2. In the enterprise account sidebar, click GitHub Connect. GitHub Connect tab in the enterprise account sidebar

  3. Under "Repositories can be scanned for vulnerabilities", select the drop-down menu and click Enabled without notifications. Optionally, to enable alerts with notifications, click Enabled with notifications. 用于启用扫描仓库有无漏洞的下拉菜单

    Tip: We recommend configuring Dependabot 警报 without notifications for the first few days to avoid an overload of emails. 几天后,您可以开启通知,像往常一样接收 Dependabot 警报。

查看 your GitHub Enterprise Server instance 上易受攻击的依赖项

您可以查看 your GitHub Enterprise Server instance 中的所有漏洞,然后手动同步 GitHub.com 中的漏洞数据,以更新列表。

  1. From an administrative account on GitHub Enterprise Server, in the upper-right corner of any page, click .

    Screenshot of the rocket ship icon for accessing site admin settings

  2. If you're not already on the "Site admin" page, in the upper-left corner, click Site admin.

    Screenshot of "Site admin" link

  3. 在左侧边栏中,单击 Vulnerabilities站点管理员边栏中的 Vulnerabilities 选项卡

  4. 要同步漏洞数据,请单击 Sync Vulnerabilities nowSync vulnerabilities now 按钮

此文档对您有帮助吗?

隐私政策

帮助我们创建出色的文档!

所有 GitHub 文档都是开源的。看到错误或不清楚的内容了吗?提交拉取请求。

做出贡献

或者, 了解如何参与。