Skip to main content

此版本的 GitHub Enterprise 已停止服务 2022-10-12. 即使针对重大安全问题,也不会发布补丁。 为了获得更好的性能、更高的安全性和新功能,请升级到最新版本的 GitHub Enterprise。 如需升级帮助,请联系 GitHub Enterprise 支持

Configuring notifications for Dependabot alerts

Optimize how you receive notifications about Dependabot alerts.

About notifications for Dependabot alerts

When Dependabot detects vulnerable dependencies in your repositories, we generate a Dependabot alert and display it on the Security tab for the repository. GitHub Enterprise Server notifies the maintainers of affected repositories about the new alert according to their notification preferences.

By default, if your enterprise owner has configured email for notifications on your enterprise, you will receive Dependabot alerts by email.

Enterprise owners can also enable Dependabot alerts without notifications. For more information, see "Enabling Dependabot for your enterprise."

Configuring notifications for Dependabot alerts

When a new Dependabot alert is detected, GitHub Enterprise Server notifies all users with access to Dependabot alerts for the repository according to their notification preferences. You will receive alerts if you are watching the repository, have enabled notifications for security alerts or for all the activity on the repository, and are not ignoring the repository. For more information, see "Configuring notifications."

You can configure notification settings for yourself or your organization from the Manage notifications drop-down shown at the top of each page. For more information, see "Configuring notifications."

可以选择通知的� 递方法,以及通知发送给� 的频率。 By default, if your enterprise owner has configured email for notifications on your instance, you will receive Dependabot alerts:

  • by email, an email is sent when Dependabot is enabled for a repository, when a new manifest file is committed to the repository, and when a new vulnerability with a critical or high severity is found (Email each time a vulnerability is found option).
  • in the user interface, a warning is shown in your repository's file and code views if there are any insecure dependencies (UI alerts option).
  • on the command line, warnings are displayed as callbacks when you push to repositories with any insecure dependencies (Command Line option).
  • in your inbox, as web notifications. A web notification is sent when Dependabot is enabled for a repository, when a new manifest file is committed to the repository, and when a new vulnerability with a critical or high severity is found (Web option).
  • on GitHub Mobile, as web notifications. For more information, see "Enabling push notifications with GitHub Mobile."

Note: The email and web/GitHub Mobile notifications are:

  • per repository when Dependabot is enabled on the repository, or when a new manifest file is committed to the repository.

  • per organization when a new vulnerability is discovered.

You can customize the way you are notified about Dependabot alerts. For example, you can receive a weekly digest email summarizing alerts for up to 10 of your repositories using the Email a digest summary of vulnerabilities and Weekly security email digest options.

Screenshot of the Dependabot alerts options

Note: You can filter your notifications on GitHub to show Dependabot alerts. For more information, see "Managing notifications from your inbox."

影响一个或多个存储库的 Dependabot alerts 的电子邮件通知包括 X-GitHub-Severity � �头字段。 可以使用 X-GitHub-Severity � �头字段的值来筛选 Dependabot alerts 的电子邮件通知。 For more information, see "Configuring notifications."

How to reduce the noise from notifications for Dependabot alerts

If you are concerned about receiving too many notifications for Dependabot alerts, we recommend you opt into the weekly email digest, or turn off notifications while keeping Dependabot alerts enabled. You can still navigate to see your Dependabot alerts in your repository's Security tab. For more information, see "Viewing and updating Dependabot alerts."

Further reading