Viewing and updating Dependabot alerts

If GitHub discovers insecure dependencies in your project, you can view details on the Dependabot alerts tab of your repository. Then, you can update your project to resolve or dismiss the alert.

¿Quién puede utilizar esta característica?

  • Administradores de repositorios, propietarios de la organización y personas con acceso de escritura o mantenimiento a un repositorio
  • Usuarios y equipos con acceso explícito. Consulta Concesión de acceso a la alerta de seguridad.

En este artículo

Nota:

Para poder utilizar esta característica, el administrador del sitio debe configurar Dependabot updates para tu instancia de GitHub Enterprise Server. Para obtener más información, consulta Habilitación de Dependabot para la empresa.

Es posible que no puedas habilitar ni deshabilitar Dependabot updates si un propietario de empresa ha establecido una directiva a nivel empresarial. Para más información, consulta Aplicación de directivas de seguridad y análisis de código de la empresa.

Your repository's Dependabot alerts tab lists all open and closed Dependabot alerts and corresponding Dependabot security updates. You can filter alerts by package, ecosystem, or manifest. You can sort the list of alerts, and you can click into specific alerts for more details. You can also dismiss or reopen alerts, either one by one or by selecting multiple alerts at once. For more information, see Acerca de las alertas Dependabot.

You can enable automatic security updates for any repository that uses Dependabot alerts and the dependency graph. For more information, see Sobre las actualizaciones de seguridad de Dependabot.

About updates for vulnerable dependencies in your repository

GitHub generates Dependabot alerts when we detect that the default branch of your codebase is using dependencies with known security risks. For repositories where Dependabot security updates are enabled, when GitHub detects a vulnerable dependency in the default branch, Dependabot creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability.

Dependabot no genera Dependabot alerts para software malicioso. Para más información, consulta Acerca de GitHub Advisory Database.

Each Dependabot alert has a unique numeric identifier and the Dependabot alerts tab lists an alert for every detected vulnerability. Legacy Dependabot alerts grouped vulnerabilities by dependency and generated a single alert per dependency. If you navigate to a legacy Dependabot alert, you will be redirected to a Dependabot alerts tab filtered for that package.

You can filter and sort Dependabot alerts using a variety of filters and sort options available on the user interface. For more information, see Prioritizing Dependabot alerts below.

You can also audit actions taken in response to Dependabot alerts. For more information, see Auditoría de alertas de seguridad.

Prioritizing Dependabot alerts

GitHub helps you prioritize fixing Dependabot alerts. By default, Dependabot alerts are sorted by importance. The "Most important" sort order helps you prioritize which Dependabot alerts to focus on first. Alerts are ranked based on their potential impact, actionability, and relevance. Our prioritization calculation is constantly being improved and includes factors like CVSS score, dependency scope, and whether vulnerable function calls are found for the alert. You can also use Evaluación de prioridades automática de Dependabot to prioritize Dependabot alerts. For more information, see “Acerca de Evaluación de prioridades automática de Dependabot.”

Puedes ordenar y filtrar Dependabot alerts escribiendo filtros como pares de key:value en la barra de búsqueda.

OpciónDescripciónEjemplo
CVE-IDVisualización de las alertas asociadas a este CVE-IDCVE-2020-28482 mostrará las alertas cuyo aviso subyacente tenga este número de id. de CVE.
ecosystemSe muestran alertas para el ecosistema seleccionadoUsa ecosystem:npm para mostrar Dependabot alerts para npm
GHSA-IDVisualización de las alertas asociadas a este GHSA-IDGHSA-49wp-qq6x-g2rf mostrará las alertas cuyo aviso subyacente tenga este id. de GitHub Advisory Database.
hasSe muestran alertas que cumplen los criterios de filtro seleccionadosUso de has:patch para mostrar alertas relacionadas con avisos que tienen una revisión
isSe muestran alertas en función de su estadoUsa is:open para mostrar alertas abiertas
manifestSe muestran alertas para el manifiesto seleccionadoUsa manifest:webwolf/pom.xml para mostrar alertas en el archivo pom.xml de la aplicación WebWolf
packageSe muestran alertas para el paquete seleccionadoUsa package:django para mostrar alertas para Django
resolutionSe muestran alertas del estado de resolución seleccionadoUsa resolution:no-bandwidth para mostrar alertas previamente estacionadas debido a la falta de recursos o de tiempo para corregirlas
repoSe muestran alertas basadas en el repositorio al que hacen referencia
Ten en cuenta que este filtro solo está disponible en la información general de seguridad. Para obtener más información, consulta Información general sobre seguridad.		Usa repo:octocat-repo para mostrar alertas en el repositorio denominado octocat-repo
scopeSe muestran alertas basadas en el ámbito de la dependencia a la que hacen referenciaUsa scope:development para mostrar alertas de dependencias que solo se usan durante el desarrollo
severitySe muestran alertas en función de su nivel de gravedadUsa severity:high para mostrar alertas de gravedad alta
epss_percentageMuestra alertas basadas en su probabilidad de explotación bajo la predicción de EPSSUse epss_percentage:>0.01 para ver alertas con un porcentaje de EPSS mayor que el 1 %
sortSe muestran alertas según el criterio de ordenación seleccionadoLa opción de ordenación predeterminada para las alertas es sort:most-important, que clasifica las alertas por importancia
Uso de sort:newest para mostrar las alertas más recientes notificadas por Dependabot
Uso de sort:epss-percentage para mostrar las alertas ordenadas por puntuación de EPSS descendente.
teamMuestra los datos de todos los repositorios a los que el equipo especificado tiene acceso de escritura o de administrador. Para obtener más información sobre los roles de repositorio, consulta Roles de repositorio para una organización.Usa team:octo-team para mostrar alertas de repositorios a los que el equipo de octo-team tiene acceso de escritura.
topicMuestra datos para todos los repositorios clasificados con un tema específico. Para más información sobre los temas de repositorio, consulta Clasificar tu repositorio con temas.Use topic:nextjs para mostrar alertas de repositorios clasificados con el tema nextjs.

Nota:

El sistema de puntuación de predicción de vulnerabilidades o EPSS proporciona una puntuación (de 0 a 100 %) o probabilidad de que se aproveche la vulnerabilidad en los próximos 30 días y un percentil (nº percentil) o medida relativa de amenaza. Esta puntuación procede de Forum of Incident Responders & Security Teams (FIRST) y se actualiza diariamente. Para más información, consulta Sistema de puntuación de predicción de vulnerabilidades de seguridad en la documentación de FIRST.

In addition to the filters available via the search bar, you can sort and filter Dependabot alerts using the dropdown menus at the top of the alert list. Alternatively, to filter by label, click a label assigned to an alert to automatically apply that filter to the alert list.

The search bar also allows for full text searching of alerts and related security advisories. You can search for part of a security advisory name or description to return the alerts in your repository that relate to that security advisory. For example, searching for yaml.load() API could execute arbitrary code will return Dependabot alerts linked to PyYAML insecurely deserializes YAML strings leading to arbitrary code execution as the search string appears in the advisory description.

Screenshot of the filter and sort menus in the Dependabot alerts tab.

You can also use the REST API to get a list of Dependabot alerts sorted using your filter of choice, for your repository, organization, or enterprise. For more information about API endpoints, see Puntos de conexión de la API de REST para Dependabot alerts.

Supported ecosystems and manifests for dependency scope

En la tabla siguiente se resume si el ámbito de dependencia es compatible con varios ecosistemas y manifiestos; es decir, si Dependabot puede identificar si se usa una dependencia para el desarrollo o la producción.

LenguajeEcosistemaArchivo de manifiestoÁmbito de dependencia admitido
Dartpubpubspec.yaml
Dartpubpubspec.lock
GoMódulos de Gogo.modNo, el valor predeterminado es runtime.
JavaMavenpom.xml test se asigna al desarrollo; de lo contrario, el ámbito tiene como valor predeterminado el runtime
JavaScriptnpmpackage.json
JavaScriptnpmpackage-lock.json
JavaScriptnpmpnpm-lock.yaml
JavaScriptyarn v1yarn.lockNo, el valor predeterminado es runtime.
PHPComposercomposer.json
PHPComposercomposer.lock
PythonPoetrypoetry.lock
PythonPoetrypyproject.toml
Pythonpiprequirements.txt El ámbito es el desarrollo si el nombre de archivo contiene test o dev, de lo contrario, es el runtime
Pythonpippipfile.lock
Pythonpippipfile
RubyRubyGemsGemfile
RubyRubyGemsGemfile.lockNo, el valor predeterminado es runtime.
RustCargoCargo.toml
RustCargoCargo.lockNo, el valor predeterminado es runtime.
YAMLAcciones de GitHub-No, el valor predeterminado es runtime.
.NET (C#, F#, VB, etc.)NuGet.csproj/.vbproj .vcxproj/.fsprojNo, el valor predeterminado es runtime.
.NETNuGetpackages.configNo, el valor predeterminado es runtime.
.NETNuGet.nuspec Cuando la etiqueta != runtime

Alerts for packages listed as development dependencies are marked with the Development label on the Dependabot alerts page and are also available for filtering via the scope filter.

Screenshot showing the "Development" label assigned to an alert in the list of alerts. The label is highlighted with a dark orange outline.

The alert details page of alerts on development-scoped packages shows a "Tags" section containing a Development label.

Screenshot showing the "Tags" section in the alert details page. The label is highlighted with a dark orange outline.

Viewing Dependabot alerts

Puedes ver todas las Dependabot alerts abiertas y cerradas y las Dependabot security updates correspondientes en la pestaña Dependabot alerts del repositorio. You can sort and filter Dependabot alerts by selecting a filter from the dropdown menu.

To view summaries of alerts for all or a subset of repositories owned by your organization, use security overview. For more information, see Información general sobre seguridad.

  1. En GitHub, navegue hasta la página principal del repositorio.

  2. Debajo del nombre del repositorio, haz clic en Security. Si no puedes ver la pestaña "Security", selecciona el menú desplegable y, después, haz clic en Security.

    Captura de pantalla de un encabezado de repositorio en el que se muestran las pestañas. La pestaña "Seguridad" está resaltada con un contorno naranja oscuro.

  3. En la barra lateral "Alertas de vulnerabilidad" de la Información general sobre seguridad, haga clic en Dependabot . Si falta esta opción, significa que no tiene acceso a las alertas de seguridad y se le debe proporcionar. Para más información, consulta Administración de la configuración de seguridad y análisis para el repositorio.

    Captura de pantalla de la información general de seguridad, con la pestaña "Dependabot" resaltada con un contorno naranja oscuro.

  4. Optionally, to filter alerts, select a filter in a dropdown menu then click the filter that you would like to apply. You can also type filters into the search bar. Alternatively, to filter by label, click a label assigned to an alert to automatically apply that filter to the alert list. For more information about filtering and sorting alerts, see Prioritizing Dependabot alerts.

    Screenshot of the filter and sort menus in the Dependabot alerts tab.

  5. Click the alert that you would like to view.

  6. Optionally, to suggest an improvement to the related security advisory, on the right-hand side of the alert details page, click Suggest improvements for this advisory on the GitHub Advisory Database. For more information, see Edición de avisos de seguridad en la base de avisos de GitHub.

    Screenshot of the right sidebar of a Dependabot alert. A link, titled "Suggest improvements for this advisory...", is outlined in orange.

Reviewing and fixing alerts

It’s important to ensure that all of your dependencies are clean of any security weaknesses. When Dependabot discovers vulnerabilities in your dependencies, you should assess your project’s level of exposure and determine what remediation steps to take to secure your application.

If a patched version of the dependency is available, you can generate a Dependabot pull request to update this dependency directly from a Dependabot alert. If you have Dependabot security updates enabled, the pull request may be linked in the Dependabot alert.

In cases where a patched version is not available, or you can’t update to the secure version, Dependabot shares additional information to help you determine next steps. When you click through to view a Dependabot alert, you can see the full details of the security advisory for the dependency including the affected functions. You can then check whether your code calls the impacted functions. This information can help you further assess your risk level, and determine workarounds or if you’re able to accept the risk represented by the security advisory.

Fixing vulnerable dependencies

  1. View the details for an alert. For more information, see Viewing Dependabot alerts (above).

  2. If you have Dependabot security updates enabled, there may be a link to a pull request that will fix the dependency. Alternatively, you can click Create Dependabot security update at the top of the alert details page to create a pull request.

    Screenshot of a Dependabot alert with the "Create Dependabot security update" button highlighted with a dark orange outline.

  3. Optionally, if you do not use Dependabot security updates, you can use the information on the page to decide which version of the dependency to upgrade to and create a pull request to update the dependency to a secure version.

  4. When you're ready to update your dependency and resolve the vulnerability, merge the pull request.

    Each pull request raised by Dependabot includes information on commands you can use to control Dependabot. For more information, see Administrar las solicitudes de extracción para las actualizaciones de dependencia.

Dismissing Dependabot alerts

Nota:

You can only dismiss open alerts.

If you schedule extensive work to upgrade a dependency, or decide that an alert does not need to be fixed, you can dismiss the alert. Dismissing alerts that you have already assessed makes it easier to triage new alerts as they appear.

  1. View the details for an alert. For more information, see Viewing vulnerable dependencies (above).

  2. Select the "Dismiss" dropdown, and click a reason for dismissing the alert. Unfixed dismissed alerts can be reopened later.

  3. Optionally, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can retrieve or set a comment by using the GraphQL API. The comment is contained in the dismissComment field. For more information, see Objetos in the GraphQL API documentation.

    Screenshot of a Dependabot alert page, with the "Dismiss" dropdown and the option to add a dismissal comment outlined in orange.

  4. Click Dismiss alert.

Dismissing multiple alerts at once

  1. View the open Dependabot alerts. For more information, see Viewing and updating Dependabot alerts.
  2. Optionally, filter the list of alerts by selecting a dropdown menu, then clicking the filter that you would like to apply. You can also type filters into the search bar.
  3. To the left of each alert title, select the alerts that you want to dismiss.
    Screenshot of the Dependabot alerts view. Two alerts are selected and these check boxes are highlighted with an orange outline.
  4. Optionally, at the top of the list of alerts, select all alerts on the page.
    Screenshot of the header section of the Dependabot alerts view. The "Select all" checkbox is highlighted with a dark orange outline.
  5. Select the "Dismiss alerts" dropdown, and click a reason for dismissing the alerts.
    Screenshot of a list of alerts. Below the "Dismiss alerts" button, a dropdown labeled "Select a reason to dismiss" is expanded.

Viewing and updating closed alerts

You can view all open alerts, and you can reopen alerts that have been previously dismissed. Closed alerts that have already been fixed cannot be reopened.

  1. En GitHub, navegue hasta la página principal del repositorio.

  2. Debajo del nombre del repositorio, haz clic en Security. Si no puedes ver la pestaña "Security", selecciona el menú desplegable y, después, haz clic en Security.

    Captura de pantalla de un encabezado de repositorio en el que se muestran las pestañas. La pestaña "Seguridad" está resaltada con un contorno naranja oscuro.

  3. En la barra lateral "Alertas de vulnerabilidad" de la Información general sobre seguridad, haga clic en Dependabot . Si falta esta opción, significa que no tiene acceso a las alertas de seguridad y se le debe proporcionar. Para más información, consulta Administración de la configuración de seguridad y análisis para el repositorio.

    Captura de pantalla de la información general de seguridad, con la pestaña "Dependabot" resaltada con un contorno naranja oscuro.

  4. To just view closed alerts, click Closed.

    Screenshot showing the list of Dependabot alerts with the "Closed" tab highlighted with a dark orange outline.

  5. Click the alert that you would like to view or update.

  6. Optionally, if the alert was dismissed and you wish to reopen it, click Reopen. Alerts that have already been fixed cannot be reopened.

    Screenshot showing a closed Dependabot alert. A button, titled "Reopen", is highlighted in a dark orange outline.

Reopening multiple alerts at once

  1. View the closed Dependabot alerts. For more information, see Viewing and updating Dependabot alerts (above).
  2. To the left of each alert title, select the alerts that you want to reopen by clicking the checkbox adjacent to each alert.
  3. Optionally, at the top of the list of alerts, select all closed alerts on the page.
    Screenshot of alerts in the "Closed" tab. The "Select all" checkbox is highlighted with a dark orange outline.
  4. Click Reopen to reopen the alerts. Alerts that have already been fixed cannot be reopened.

Reviewing the audit logs for Dependabot alerts

When a member of your organization or enterprise performs an action related to Dependabot alerts, you can review the actions in the audit log. For more information about accessing the log, see Revisar el registro de auditoría de tu organización and Acceso al registro de auditoría de la empresa.

Screenshot of the audit log showing Dependabot alerts.

Events in your audit log for Dependabot alerts include details such as who performed the action, what the action was, and when the action was performed. The event also includes a link to the alert itself. When a member of your organization dismisses an alert, the event displays the dismissal reason and comment. For information on the Dependabot alerts actions, see the repository_vulnerability_alert category in Eventos de registro de auditoría de la organización and Eventos de registro de auditoría de la empresa.