Skip to main content

This version of GitHub Enterprise Server will be discontinued on 2024-03-07. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise Server. For help with the upgrade, contact GitHub Enterprise support.

Configuring Dependabot alerts

Enable Dependabot alerts to be generated when a new vulnerable dependency is found in one of your repositories.

About Dependabot alerts for vulnerable dependencies

A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. Vulnerabilities vary in type, severity, and method of attack.

Dependabot scans code when a new advisory is added to the GitHub Advisory Database or the dependency graph for a repository changes. When vulnerable dependencies are detected, Dependabot alerts are generated. For more information, see "About Dependabot alerts."

If you have enabled Dependabot security updates for your repository, the alert may also contain a link to a pull request to update the manifest or lock file to the minimum version that resolves the vulnerability. For more information, see "About Dependabot security updates."

You can enable or disable Dependabot alerts for:

  • Your personal account
  • Your repository
  • Your organization

Managing Dependabot alerts for your personal account

Dependabot alerts for your repositories can be enabled or disabled by your enterprise owner. For more information, see "Enabling Dependabot for your enterprise."

Managing Dependabot alerts for your repository

By default, we notify people with admin permissions in the affected repositories about new Dependabot alerts. GitHub Enterprise Server never publicly discloses insecure dependencies for any repository. You can also make Dependabot alerts visible to additional people or teams working on repositories that you own or have admin permissions for.

Dependabot alerts for your repository can be enabled or disabled by your enterprise owner. For more information, see "Enabling Dependabot for your enterprise."

Managing Dependabot alerts for your organization

Dependabot alerts for your organization can be enabled or disabled by your enterprise owner. For more information, see "Enabling Dependabot for your enterprise."