With the accelerated use of open source, most projects depend on hundreds of open-source dependencies. This poses a security problem: what if the dependencies you're using are vulnerable? You could be putting your users at risk of a supply chain attack. One of the most important things you can do to protect your supply chain is to patch your vulnerable dependencies.
You add dependencies directly to your supply chain when you specify them in a manifest file or a lockfile. Dependencies can also be included transitively, that is, even if you don’t specify a particular dependency, but a dependency of yours uses it, then you’re also dependent on that dependency.
GitHub AE offers a range of features to help you understand the dependencies in your environment and know about vulnerabilities in those dependencies.
The supply chain features on GitHub AE are:
- Dependency graph
- Dependency review
- Dependabot alerts
The dependency graph is central to supply chain security. The dependency graph identifies all upstream dependencies and public downstream dependents of a repository or package. You can see your repository’s dependencies and some of their properties, like vulnerability information, on the dependency graph for the repository.
Other supply chain features on GitHub rely on the information provided by the dependency graph.
- Dependency review uses the dependency graph to identify dependency changes and help you understand the security impact of these changes when you review pull requests.
- Dependabot cross-references dependency data provided by the dependency graph with the list of advisories published in the GitHub Advisory Database, scans your dependencies and generates Dependabot alerts when a potential vulnerability is detected.
To generate the dependency graph, GitHub looks at a repository’s explicit dependencies declared in the manifest and lockfiles. When enabled, the dependency graph automatically parses all known package manifest files in the repository, and uses this to construct a graph with known dependency names and versions.
- The dependency graph includes information on your direct dependencies and transitive dependencies.
- The dependency graph is automatically updated when you push a commit to GitHub that changes or adds a supported manifest or lock file to the default branch, and when anyone pushes a change to the repository of one of your dependencies.
- You can see the dependency graph by opening the repository's main page on GitHub AE, and navigating to the Insights tab.
For more information about the dependency graph, see "About the dependency graph."
Dependency review helps reviewers and contributors understand dependency changes and their security impact in every pull request.
- Dependency review tells you which dependencies were added, removed, or updated, in a pull request. You can use the release dates, popularity of dependencies, and vulnerability information to help you decide whether to accept the change.
- You can see the dependency review for a pull request by showing the rich diff on the Files Changed tab.
For more information about dependency review, see "About dependency review."
Dependabot keeps your dependencies up to date by informing you of any security vulnerabilities in your dependencies, and automatically opens pull requests to upgrade your dependencies to the next available secure version when a Dependabot alert is triggered, or to the latest version when a release is published.
Dependabot alerts highlight repositories affected by a newly discovered vulnerability based on the dependency graph and the GitHub Advisory Database, which contains advisories for known vulnerabilities.
Dependabot performs a scan to detect insecure dependencies and sends Dependabot alerts when:
New advisory data is synchronized to your enterprise each hour from GitHub.com. For more information about advisory data, see "Browsing security advisories in the GitHub Advisory Database" in the GitHub.com documentation.
The dependency graph for the repository changes.
Dependabot alerts are displayed in the repository's dependency graph. The alert includes information about a fixed version.
For more information, see "About Dependabot alerts."
- Dependency graph and Dependabot alerts—not enabled by default. Both features are configured at an enterprise level by the enterprise owner. For more information, see "Enabling Dependabot for your enterprise."
- Dependency review—available when dependency graph is enabled for your enterprise and Advanced Security is enabled for the organization or repository. For more information, see "About GitHub Advanced Security."