Diese Version von GitHub Enterprise Server wird eingestellt am 2026-03-17. Es wird keine Patch-Freigabe vorgenommen, auch nicht für kritische Sicherheitsprobleme. Für bessere Leistung, verbesserte Sicherheit und neue Features aktualisiere auf die neueste Version von GitHub Enterprise Server. Wende dich an den GitHub Enterprise-Support, um Hilfe zum Upgrade zu erhalten.

Browsing security advisories in the GitHub Advisory Database

You can browse the GitHub Advisory Database to find CVEs and GitHub-originated advisories affecting the open source world.

Wer kann dieses Feature verwenden?

Alle Benutzenden können GitHub Advisory Database durchsuchen.

In diesem Artikel

Accessing an advisory in the GitHub Advisory Database

You can access any advisory in the GitHub Advisory Database.

  1. Navigate to https://github.com/advisories.

  2. Optionally, to filter the list of advisories, use the search field or the drop-down menus at the top of the list.

    Hinweis

    You can use the sidebar on the left to explore GitHub-reviewed and unreviewed advisories separately, or to filter by ecosystem.

  3. Click an advisory to view details. By default, you will see GitHub-reviewed advisories for security vulnerabilities. To show malware advisories, use type:malware in the search bar.

The database is also accessible using the GraphQL API. By default, queries will return GitHub-reviewed advisories for security vulnerabilities unless you specify type:malware. For more information, see the Webhook-Ereignisse und -Nutzlasten.

Additionally, you can access the GitHub Advisory Database using the REST API. For more information, see REST-API-Endpunkte für globale Sicherheitsempfehlungen.

Editing an advisory in the GitHub Advisory Database

You can suggest improvements to any advisory in the GitHub Advisory Database. For more information, see Editing security advisories in the GitHub Advisory Database.

Searching the GitHub Advisory Database

You can search the database, and use qualifiers to narrow your search. For example, you can search for advisories created on a certain date, in a specific ecosystem, or in a particular library.

Die Datumsformatierung muss dem ISO8601-Standard entsprechen: YYYY-MM-DD (Jahr-Monat-Tag). Du kannst nach dem Datum auch optionale Zeitinformationen im Format THH:MM:SS+00:00 hinzufügen, um nach Stunde, Minute und Sekunde zu suchen. Das heißt, T, gefolgt von HH:MM:SS (Stunden-Minuten-Sekunden) und einem UTC-Offset (+00:00).

Wenn du nach einem Datum suchst, kannst du „größer als“, „kleiner als“ und Bereichsqualifizierer verwenden, um Ergebnisse weiter zu filtern. Weitere Informationen finden Sie unter Grundlagen der Suchsyntax.

QualifierExample
type:reviewedtype:reviewed will show GitHub-reviewed advisories for security vulnerabilities.
type:malwaretype:malware will show malware advisories.
type:unreviewedtype:unreviewed will show unreviewed advisories.
GHSA-IDGHSA-49wp-qq6x-g2rf will show the advisory with this GitHub Advisory Database ID.
CVE-IDCVE-2020-28482 will show the advisory with this CVE ID number.
ecosystem:ECOSYSTEMecosystem:npm will show only advisories affecting npm packages.
severity:LEVELseverity:high will show only advisories with a high severity level.
affects:LIBRARYaffects:lodash will show only advisories affecting the lodash library.
cwe:IDcwe:352 will show only advisories with this CWE number.
credit:USERNAMEcredit:octocat will show only advisories credited to the "octocat" user account.
sort:created-ascsort:created-asc will sort by the oldest advisories first.
sort:created-descsort:created-desc will sort by the newest advisories first.
sort:updated-ascsort:updated-asc will sort by the least recently updated first.
sort:updated-descsort:updated-desc will sort by the most recently updated first.
is:withdrawnis:withdrawn will show only advisories that have been withdrawn.
created:YYYY-MM-DDcreated:2021-01-13 will show only advisories created on this date.
updated:YYYY-MM-DDupdated:2021-01-13 will show only advisories updated on this date.

A GHSA-ID qualifier is a unique ID that we at GitHub automatically assign to every advisory in the GitHub Advisory Database. For more information about these identifiers, see About the GitHub Advisory Database.

Viewing your vulnerable repositories

For any GitHub-reviewed advisory in the GitHub Advisory Database, you can see which of your repositories are affected by that security vulnerability or malware. To see a vulnerable repository, you must have access to Dependabot alerts for that repository. For more information, see Informationen zu Dependabot-Warnungen.

  1. Navigate to https://github.com/advisories.
  2. Click an advisory.
  3. At the top of the advisory page, click Dependabot alerts.
    Screenshot of a "global security advisory". The "Dependabot alerts" button is highlighted with an orange outline.
  4. Optionally, to filter the list, use the search bar or the drop-down menus. The "Organization" drop-down menu allows you to filter the Dependabot alerts per owner (organization or user).
  5. For more details about the advisory, and for advice on how to fix the vulnerable repository, click the repository name.

Accessing the local advisory database on GitHub Enterprise Server

If your site administrator has enabled GitHub Connect for your instance, you can also browse reviewed advisories locally. For more information, see Informationen zu GitHub Verbinden.

You can use your local advisory database to check whether a specific security vulnerability is included, and therefore whether you'd get alerts for vulnerable dependencies. You can also view any vulnerable repositories.

  1. Navigate to https://HOSTNAME/advisories.

  2. Optionally, to filter the list, use any of the drop-down menus.

    Hinweis

    Only reviewed advisories will be listed. Unreviewed advisories can be viewed in the GitHub Advisory Database on GitHub.com. For more information, see Accessing an advisory in the GitHub Advisory Database.

  3. Click an advisory to view details. By default, you will see GitHub-reviewed advisories for security vulnerabilities. To show malware advisories, use type:malware in the search bar.

You can also suggest improvements to any advisory directly from your local advisory database. For more information, see Editing security advisories in the GitHub Advisory Database.

Viewing vulnerable repositories for your instance

Unternehmensbesitzer müssen Dependabot alerts für Ihre GitHub Enterprise Server-Instance aktivieren, bevor du dieses Feature nutzen kannst. Weitere Informationen finden Sie unter Aktivieren von Dependabot für dein Unternehmen.

In the local advisory database, you can see which repositories are affected by each security vulnerability or malware. To see a vulnerable repository, you must have access to Dependabot alerts for that repository. For more information, see Informationen zu Dependabot-Warnungen.

  1. Navigate to https://HOSTNAME/advisories.
  2. Click an advisory.
  3. At the top of the advisory page, click Dependabot alerts.
    Screenshot of a "global security advisory". The "Dependabot alerts" button is highlighted with an orange outline.
  4. Optionally, to filter the list, use the search bar or the drop-down menus. The "Organization" drop-down menu allows you to filter the Dependabot alerts per owner (organization or user).
  5. For more details about the advisory, and for advice on how to fix the vulnerable repository, click the repository name.