Enabling the dependency graph and Dependabot alerts on your enterprise account

You can connect your GitHub Enterprise Server instance to GitHub Enterprise Cloud and enable the dependency graph and Dependabot 警报 in repositories in your instance.

Enterprise owners who are also owners of the connected GitHub Enterprise Cloud organization or enterprise account can enable the dependency graph and Dependabot 警报 on your GitHub Enterprise Server instance.

About alerts for vulnerable dependencies on your GitHub Enterprise Server instance

GitHub identifies vulnerable dependencies in repositories and creates Dependabot 警报 on your GitHub Enterprise Server instance, using:

  • Data from the GitHub Advisory Database
  • The dependency graph service

For more information about these features, see "About the dependency graph" and "About alerts for vulnerable dependencies."

About synchronization of data from the GitHub Advisory Database

我们从以下来源添加漏洞到 GitHub Advisory Database:

You can connect your GitHub Enterprise Server instance to GitHub.com with GitHub Connect. Once connected, vulnerability data is synced from the GitHub Advisory Database to your instance once every hour. You can also choose to manually sync vulnerability data at any time. No code or information about code from your GitHub Enterprise Server instance is uploaded to GitHub.com.

About generation of Dependabot 警报

If you enable vulnerability detection, when your GitHub Enterprise Server instance receives information about a vulnerability, it identifies repositories in your instance that use the affected version of the dependency and generates Dependabot 警报. You can choose whether or not to notify users automatically about new Dependabot 警报.

Enabling the dependency graph and Dependabot 警报 for vulnerable dependencies on your GitHub Enterprise Server instance

Prerequisites

For your GitHub Enterprise Server instance to detect vulnerable dependencies and generate Dependabot 警报:

You can enable the dependency graph via the 管理控制台 or the administrative shell. We recommend you follow the 管理控制台 route unless your GitHub Enterprise Server instance uses clustering.

Enabling the dependency graph via the 管理控制台

  1. 登录到 http(s)://HOSTNAME/login 上的 your GitHub Enterprise Server instance。
  2. 从 GitHub Enterprise Server 上的管理帐户,点击任何页面右上角的 用于访问站点管理员设置的火箭图标
  3. 在左侧边栏中,单击 管理控制台左侧边栏中的 管理控制台 选项卡
  4. In the left sidebar, click Security. Security sidebar
  5. Under "Security," click Dependency graph. Checkbox to enable or disable the dependency graph
  6. 在左侧边栏下,单击 Save settings(保存设置)管理控制台 中的 Save settings 按钮
  7. 等待配置运行完毕。
  8. Click Visit your instance.

Enabling the dependency graph via the administrative shell

  1. 登录到 http(s)://HOSTNAME/login 上的 your GitHub Enterprise Server instance。

  2. In the administrative shell, enable the dependency graph on your GitHub Enterprise Server instance:

    $ ghe-config app.dependency-graph.enabled true

    Note: For more information about enabling access to the administrative shell via SSH, see "Accessing the administrative shell (SSH)."

  3. Apply the configuration.

    $ ghe-config-apply
  4. Return to GitHub Enterprise Server.

Enabling Dependabot 警报

Before enabling Dependabot 警报 for your instance, you need to enable the dependency graph. For more information, see above.

  1. 在 GitHub Enterprise Server 的右上角,单击您的个人资料照片,然后单击 Enterprise settings(Enterprise 设置)GitHub Enterprise Server 上个人资料照片下拉菜单中的"Enterprise settings(企业设置)"

  2. In the enterprise account sidebar, click GitHub Connect. GitHub Connect tab in the enterprise account sidebar

  3. Under "Repositories can be scanned for vulnerabilities", select the drop-down menu and click Enabled without notifications. Optionally, to enable alerts with notifications, click Enabled with notifications. Drop-down menu to enable scanning repositories for vulnerabilities

    Tip: We recommend configuring Dependabot 警报 without notifications for the first few days to avoid an overload of emails. After a few days, you can enable notifications to receive Dependabot 警报 as usual.

Viewing vulnerable dependencies on your GitHub Enterprise Server instance

You can view all vulnerabilities in your GitHub Enterprise Server instance and manually sync vulnerability data from GitHub.com to update the list.

  1. 从 GitHub Enterprise Server 上的管理帐户,点击任何页面右上角的 用于访问站点管理员设置的火箭图标
  2. In the left sidebar, click Vulnerabilities. Vulnerabilities tab in the site admin sidebar
  3. To sync vulnerability data, click Sync Vulnerabilities now. Sync vulnerabilities now button

此文档对您有帮助吗?

隐私政策

帮助我们创建出色的文档!

所有 GitHub 文档都是开源的。看到错误或不清楚的内容了吗?提交拉取请求。

做出贡献

或者, 了解如何参与。