Skip to main content
ドキュメントには頻繁に更新が加えられ、その都度公開されています。本ページの翻訳はまだ未完成な部分があることをご了承ください。最新の情報については、英語のドキュメンテーションをご参照ください。本ページの翻訳に問題がある場合はこちらまでご連絡ください。

このバージョンの GitHub Enterprise はこの日付をもって終了となります: 2022-06-03. 重大なセキュリティの問題に対してであっても、パッチリリースは作成されません。 パフォーマンスの向上、セキュリティの改善、新機能のためには、最新バージョンのGitHub Enterpriseにアップグレードしてください。 アップグレードに関する支援については、GitHub Enterprise supportに連絡してください。

About supply chain security

GitHub Enterprise Server helps you secure your supply chain, from understanding the dependencies in your environment, to knowing about vulnerabilities in those dependencies.

About supply chain security at GitHub

With the accelerated use of open source, most projects depend on hundreds of open-source dependencies. This poses a security problem: what if the dependencies you're using are vulnerable? You could be putting your users at risk of a supply chain attack. One of the most important things you can do to protect your supply chain is to patch your vulnerabilities.

You add dependencies directly to your supply chain when you specify them in a manifest file or a lockfile. Dependencies can also be included transitively, that is, even if you don’t specify a particular dependency, but a dependency of yours uses it, then you’re also dependent on that dependency.

GitHub Enterprise Server offers a range of features to help you understand the dependencies in your environment and know about vulnerabilities in those dependencies.

The supply chain features on GitHub Enterprise Server are:

  • Dependency graph

  • Dependabotアラート

The dependency graph is central to supply chain security. The dependency graph identifies all upstream dependencies and public downstream dependents of a repository or package. You can see your repository’s dependencies and some of their properties, like vulnerability information, on the dependency graph for the repository.

Dependabot cross-references dependency data provided by the dependency graph with the list of known vulnerabilities published in the GitHub Advisory Database, scans your dependencies and generates Dependabotアラート when a potential vulnerability is detected.

For best practice guides on end-to-end supply chain security including the protection of personal accounts, code, and build processes, see "Securing your end-to-end supply chain."

Feature overview

What is the dependency graph

To generate the dependency graph, GitHub looks at a repository’s explicit dependencies declared in the manifest and lockfiles. When enabled, the dependency graph automatically parses all known package manifest files in the repository, and uses this to construct a graph with known dependency names and versions.

  • The dependency graph includes information on your direct dependencies and transitive dependencies.
  • The dependency graph is automatically updated when you push a commit to GitHub that changes or adds a supported manifest or lock file to the default branch, and when anyone pushes a change to the repository of one of your dependencies.
  • You can see the dependency graph by opening the repository's main page on GitHub Enterprise Server, and navigating to the Insights tab.

For more information about the dependency graph, see "About the dependency graph."

What is Dependabot

Dependabot keeps your dependencies up to date by informing you of any security vulnerabilities in your dependencies so that you can update that dependency.

What are Dependabot alerts

Dependabotアラート highlight repositories affected by a newly discovered vulnerability based on the dependency graph and the GitHub Advisory Database, which contains the versions on known vulnerability lists.

  • Dependabot performs a scan to detect vulnerable dependencies and sends Dependabotアラート when:

  • Dependabotアラート are displayed on the Security tab for the repository and in the repository's dependency graph. The alert includes a link to the affected file in the project, and information about a fixed version.

For more information about Dependabotアラート, see "About alerts for vulnerable dependencies."

Feature availability