Configuring notifications for vulnerable dependencies

Optimize how you receive notifications about Dependabot 警报.

About notifications for vulnerable dependencies

When Dependabot detects vulnerable dependencies in your repositories, we generate a Dependabot alert and display it on the Security tab for the repository. GitHub Enterprise Server notifies the maintainers of affected repositories about the new alert according to their notification preferences.

By default, if your enterprise owner has configured email for notifications on your enterprise, you will receive Dependabot 警报 by email.

Enterprise owners can also enable Dependabot 警报 without notifications. For more information, see "Enabling the dependency graph and Dependabot 警报 on your enterprise account."

Configuring notifications for Dependabot 警报

When a new Dependabot alert is detected, GitHub Enterprise Server notifies all users with access to Dependabot 警报 for the repository according to their notification preferences. You will receive alerts if you are watching the repository, have enabled notifications for security alerts or for all the activity on the repository, and are not ignoring the repository. For more information, see "Configuring notifications."

You can configure notification settings for yourself or your organization from the Manage notifications drop-down shown at the top of each page. For more information, see "Configuring notifications."

You can choose the delivery method for notifications, as well as the frequency at which the notifications are sent to you.

By default, if your enterprise owner has configured email for notifications on your instance, you will receive Dependabot 警报:

  • by email, an email is sent when Dependabot is enabled for a repository, when a new manifest file is committed to the repository, and when a new vulnerability with a critical or high severity is found (Email each time a vulnerability is found option).
  • in the user interface, a warning is shown in your repository's file and code views if there are any vulnerable dependencies (UI alerts option).
  • on the command line, warnings are displayed as callbacks when you push to repositories with any vulnerable dependencies (Command Line option).
  • in your inbox, as web notifications. A web notification is sent when Dependabot is enabled for a repository, when a new manifest file is committed to the repository, and when a new vulnerability with a critical or high severity is found (Web option).
  • on 手机版 GitHub, as web notifications. For more information, see "Enabling push notifications with GitHub for mobile."

Note: The email and web/手机版 GitHub notifications are:

  • per repository when Dependabot is enabled on the repository, or when a new manifest file is committed to the repository.

  • per organization when a new vulnerability is discovered.

You can customize the way you are notified about Dependabot 警报. For example, you can receive a weekly digest email summarizing alerts for up to 10 of your repositories using the Email a digest summary of vulnerabilities and Weekly security email digest options.

Dependabot 警报 options

Note: You can filter your notifications on GitHub to show Dependabot 警报. For more information, see "Managing notifications from your inbox."

Email notifications for Dependabot 警报 that affect one or more repositories include the X-GitHub-Severity header field. You can use the value of the X-GitHub-Severity header field to filter email notifications for Dependabot 警报. For more information, see "Configuring notifications."

How to reduce the noise from notifications for vulnerable dependencies

If you are concerned about receiving too many notifications for Dependabot 警报, we recommend you opt into the weekly email digest, or turn off notifications while keeping Dependabot 警报 enabled. You can still navigate to see your Dependabot 警报 in your repository's Security tab. For more information, see "Viewing and updating vulnerable dependencies in your repository."

Further reading

此文档对您有帮助吗?

隐私政策

帮助我们创建出色的文档!

所有 GitHub 文档都是开源的。看到错误或不清楚的内容了吗?提交拉取请求。

做出贡献

或者, 了解如何参与。