About supply chain security at GitHub
With the accelerated use of open source, most projects depend on hundreds of open-source dependencies. This poses a security problem: what if the dependencies you're using are vulnerable? You could be putting your users at risk of a supply chain attack. One of the most important things you can do to protect your supply chain is to patch your vulnerable dependencies.
You add dependencies directly to your supply chain when you specify them in a manifest file or a lockfile. Dependencies can also be included transitively, that is, even if you don’t specify a particular dependency, but a dependency of yours uses it, then you’re also dependent on that dependency.
GitHub Enterprise Server ofrece un rango de características que te ayudan a entender las dependencias en tu ambiente y conocer las vulnerabilidades en dichas dependencias.
The supply chain features on GitHub Enterprise Server are:
-
Gráfica de dependencias
-
Las alertas del dependabot
The dependency graph is central to supply chain security. The dependency graph identifies all upstream dependencies and public downstream dependents of a repository or package. You can see your repository’s dependencies and some of their properties, like vulnerability information, on the dependency graph for the repository.
Dependabot cross-references dependency data provided by the dependency graph with the list of known advisories published in the GitHub Advisory Database, scans your dependencies and generates Las alertas del dependabot when a potential vulnerability is detected.
For best practice guides on end-to-end supply chain security including the protection of personal accounts, code, and build processes, see "Securing your end-to-end supply chain."
Feature overview
What is the dependency graph
To generate the dependency graph, GitHub looks at a repository’s explicit dependencies declared in the manifest and lockfiles. When enabled, the dependency graph automatically parses all known package manifest files in the repository, and uses this to construct a graph with known dependency names and versions.
- The dependency graph includes information on your direct dependencies and transitive dependencies.
- The dependency graph is automatically updated when you push a commit to GitHub that changes or adds a supported manifest or lock file to the default branch, and when anyone pushes a change to the repository of one of your dependencies.
- You can see the dependency graph by opening the repository's main page on GitHub Enterprise Server, and navigating to the Insights tab.
For more information about the dependency graph, see "About the dependency graph."
What is Dependabot
Dependabot mantiene actualizadas tus dependencias informándote de cualquier vulnerabilidad de seguridad en ellas para que puedas actualziarla..
What are Dependabot alerts
Las alertas del dependabot highlight repositories affected by a newly discovered vulnerability based on the dependency graph and the GitHub Advisory Database, which contains advisories for known vulnerabilities.
-
Dependabot performs a scan to detect insecure dependencies and sends Las alertas del dependabot when:
-
Se sincronizan los datos de las asesorías nuevas en tu instancia de GitHub Enterprise Server cada hora desde GitHub.com. For more information about advisory data, see "Browsing security advisories in the GitHub Advisory Database" in the GitHub.com documentation.
-
The dependency graph for the repository changes.
-
-
Las alertas del dependabot are displayed on the Security tab for the repository and in the repository's dependency graph. La alerta incluye un enlace al archivo afectado en el proyecto einformación sobre una versión corregida.
Para obtener más información, consulta la sección "Acerca deLas alertas del dependabot".
Feature availability
- Dependency graph and Las alertas del dependabot—not enabled by default. Both features are configured at an enterprise level by the enterprise owner. Para obtener más información, consulta la sección "Habilitar la gráfica de dependencias para tu empresa" y "Habilitar el Dependabot para tu empresa".
- Dependency review—available when dependency graph is enabled for tu instancia de GitHub Enterprise Server and Advanced Security is enabled for the organization or repository. Para obtener más información, consulta la sección "Acerca de la GitHub Advanced Security".