Browsing security vulnerabilities in the GitHub Advisory Database

The GitHub Advisory Database allows you to browse or search for vulnerabilities that affect open source projects on GitHub.

In this article

Did this doc help you?

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.

About security vulnerabilities

A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. Vulnerabilities vary in type, severity, and method of attack.

GitHub will send you GitHub Dependabot alerts if we detect that any of the vulnerabilities from the GitHub Advisory Database affect the packages that your repository depends on. For more information, see "About alerts for vulnerable dependencies."

About the GitHub Advisory Database

The GitHub Advisory Database contains a curated list of security vulnerabilities that have been mapped to packages tracked by the GitHub dependency graph. We add vulnerabilities to the GitHub Advisory Database from the following sources:

Each security advisory contains information about the vulnerability, including the description, severity, affected package, package ecosystem, affected versions and patched versions, impact, and optional information such as references, workarounds, and credits. In addition, advisories from the National Vulnerability Database list contain a link to the CVE record, where you can read more details about the vulnerability, its CVSS scores, and its qualitative severity level. For more information, see the "National Vulnerability Database" from the National Institute of Standards and Technology.

The severity level is one of four possible levels defined in the Common Vulnerability Scoring System (CVSS), Section 2.1.2:

  • Low
  • Moderate
  • High
  • Critical

The GitHub Advisory Database uses CVSS version 3.0 standards and the CVSS levels described above. GitHub doesn't publish CVSS scores.

You can also join GitHub Security Lab to browse security-related topics and contribute to security tools and projects.

Accessing an advisory in the GitHub Advisory Database

  1. Navigate to https://github.com/advisories.
  2. Optionally, to filter the list, use any of the drop-down menus.
    Dropdown filters
  3. Click on any advisory to view details.

The database is also accessible using the GraphQL API. For more information, see the "security_advisory webhook event."

Searching the GitHub Advisory Database

You can search the database, and use qualifiers to narrow your search to advisories created on a certain date, in a specific ecosystem, or in a particular library.

Date formatting must follow the ISO8601 standard, which is YYYY-MM-DD (year-month-day). You can also add optional time information THH:MM:SS+00:00 after the date, to search by the hour, minute, and second. That's T, followed by HH:MM:SS (hour-minutes-seconds), and a UTC offset (+00:00).

Dates support greater than, less than, and range qualifiers.

QualifierExample
ecosystem:ECOSYSTEMecosystem:npm will show only advisories affecting NPM packages.
severity:LEVELseverity:high will show only advisories with a high severity level.
affects:LIBRARYaffects:lodash will show only advisories affecting the lodash library.
sort:created-ascsort:created-asc will sort by the oldest advisories first.
sort:created-descsort:created-desc will sort by the newest advisories first.
sort:updated-ascsort:updated-asc will sort by the least recently updated first.
sort:updated-descsort:updated-desc will sort by the most recently updated first.
is:withdrawnis:withdrawn will show only advisories that have been withdrawn.
created:YYYY-MM-DDcreated:2019-10-31 will show only advisories created on this date.
updated:YYYY-MM-DDupdated:2019-10-31 will show only advisories updated on this date.

Further reading

Did this doc help you?

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.