Skip to main content

리포지토리의 종속성 탐색

종속성 그래프를 사용하여 프로젝트가 사용하는 패키지와 볼 수 있습니다. 또한 종속성에서 검색된 모든 취약성을 볼 수 있습니다.

누가 이 기능을 사용할 수 있나요?

리포지토리 관리자, 조직 소유자 및 리포지토리에 대한 쓰기 또는 유지 관리 권한이 있는 사용자

Viewing the dependency graph

The dependency graph shows the dependencies of your repository. For each dependency, you can see the vulnerability severity. You can also search for a specific dependency using the search bar. Dependencies are sorted automatically by vulnerability severity. For information about the detection of dependencies and which ecosystems are supported, see Dependency graph supported package ecosystems.

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Insights.

    Screenshot of the main page of a repository. In the horizontal navigation bar, a tab, labeled with a graph icon and "Insights," is outlined in dark orange.

  3. In the left sidebar, click Dependency graph.

    Screenshot of the "Dependency graph" tab. The tab is highlighted with an orange outline.

  4. Optionally, use the search bar to find a specific dependency or set of dependencies.

    Note

    The search bar only searches based on the package name.

Enterprise owners can configure the dependency graph at an enterprise level. For more information, see Enabling the dependency graph for your enterprise.

Dependencies view

Any direct and indirect dependencies that are specified in the repository's manifest or lock files are listed.

Dependencies submitted to a project using the dependency submission API will show which detector was used for their submission and when they were submitted. For more information on using the dependency submission API, see Using the dependency submission API.

If vulnerabilities have been detected in the repository, these are shown at the top of the view for users with access to Dependabot alerts.

Note

GitHub Enterprise Server does not populate the Dependents view.

Troubleshooting the dependency graph

If your dependency graph is empty, there may be a problem with the file containing your dependencies. Check the file to ensure that it's correctly formatted for the file type.

If a manifest or lock file is not processed, its dependencies are omitted from the dependency graph and they can't be checked for insecure dependencies.

Further reading