About Dependabot for GitHub Enterprise Server
Dependabot helps users of tu instancia de GitHub Enterprise Server find and fix vulnerabilities in their dependencies.
With Las alertas del dependabot, GitHub identifies vulnerable dependencies in repositories and creates alerts on tu instancia de GitHub Enterprise Server, using data from the GitHub Advisory Database and the dependency graph service.
Agregamos vulnerabilidades a la GitHub Advisory Database desde las siguientes fuentes:
- La National Vulnerability Database
- Una combinación de aprendizaje automático y revisión humana para detectar vulnerabilidades en confirmaciones públicas en GitHub
- Asesorías de seguridad que se reportan en GitHub
- La base de datos de Asesorías de seguridad de npm database
After you enable Las alertas del dependabot for your enterprise, vulnerability data is synced from the GitHub Advisory Database to your instance once every hour. Only GitHub-reviewed advisories are synchronized. Para obtener más información sobre los datos de las asesorías, consulta la sección "Buscar vulnerabilidades de seguridad en la GitHub Advisory Database" dentro de la documentación de GitHub.com.
You can also choose to manually sync vulnerability data at any time. For more information, see "Viewing the vulnerability data for your enterprise."
Note: When you enable enable Las alertas del dependabot, no code or information about code from tu instancia de GitHub Enterprise Server is uploaded to GitHub.com.
When tu instancia de GitHub Enterprise Server receives information about a vulnerability, it identifies repositories in tu instancia de GitHub Enterprise Server that use the affected version of the dependency and generates Las alertas del dependabot. You can choose whether or not to notify users automatically about new Las alertas del dependabot.
For repositories with Las alertas del dependabot enabled, scanning is triggered on any push to the default branch that contains a manifest file or lock file. Additionally, when a new vulnerability record is added to tu instancia de GitHub Enterprise Server, GitHub Enterprise Server scans all existing repositories on tu instancia de GitHub Enterprise Server and generates alerts for any repository that is vulnerable. Para obtener más información, consulta la sección "Acerca de las alertas para las dependencias vulnerables".
Enabling Las alertas del dependabot
Before you can enable Las alertas del dependabot:
- You must enable GitHub Connect. For more information, see "Managing GitHub Connect."
- You must enable the dependency graph. For more information, see "Enabling the dependency graph for your enterprise."
-
En la esquina superior derecha de GitHub Enterprise Server, da clic en tu foto de perfil y luego en Configuración de empresa.
-
En la barra lateral de la cuenta de empresa, haz clic en Settings (Configuraciones).
-
En la barra lateral izquierda, haz clic en GitHub Connect.
-
Under "Repositories can be scanned for vulnerabilities", select the drop-down menu and click Enabled without notifications. Optionally, to enable alerts with notifications, click Enabled with notifications.
Tip: We recommend configuring Las alertas del dependabot without notifications for the first few days to avoid an overload of emails. After a few days, you can enable notifications to receive Las alertas del dependabot as usual.