Skip to main content

이 버전의 GitHub Enterprise는 다음 날짜에 중단되었습니다. 2024-03-26. 중요한 보안 문제에 대해서도 패치 릴리스가 이루어지지 않습니다. 더 뛰어난 성능, 향상된 보안, 새로운 기능을 위해 최신 버전의 GitHub Enterprise Server로 업그레이드합니다. 업그레이드에 대한 도움말은 GitHub Enterprise 지원에 문의하세요.

제한된 인터넷 액세스를 사용하도록 Dependabot 구성

GitHub Enterprise Server 인스턴스이(가) 인터넷 액세스가 제한되거나 없는 경우 프라이빗 레지스트리를 사용하여 버전 및 보안 업데이트에 대한 끌어오기 요청을 생성하도록 Dependabot을(를) 구성할 수 있습니다.

About Dependabot updates

You can use Dependabot updates to fix vulnerabilities and keep dependencies updated to the latest version in your GitHub Enterprise Server instance. Dependabot updates require GitHub Actions with self-hosted runners set up for Dependabot to use. Dependabot alerts and security updates use information from the GitHub Advisory Database accessed using GitHub Connect. For more information, see "Managing self-hosted runners for Dependabot updates on your enterprise" and "Enabling Dependabot for your enterprise."

Dependabot can access public registries by default, and you can configure Dependabot to also access private registries. Alternatively, if your GitHub Enterprise Server instance has limited or no internet access, you can configure Dependabot to use only private registries as a source for security and version updates. For information on which ecosystems are supported as private registries, see "Removing Dependabot access to public registries."

The instructions below assume that you need to set up Dependabot runners with the following limitations.

  • No internet access.
  • Access to limited internal resources, such as private registries for Dependabot.

Restricting internet access for Dependabot runners

Before configuring Dependabot, install Docker on your self-hosted runner. For more information, see "Managing self-hosted runners for Dependabot updates on your enterprise."

  1. On your GitHub Enterprise Server instance, navigate to the github/dependabot-action repository and retrieve information about the dependabot-updater and dependabot-proxy container images from the containers.json file.

    Each release of GitHub Enterprise Server includes an updated containers.json file at: https://HOSTNAME/github/dependabot-action/blob/ghes-VERSION/docker/containers.json. You can see the version of the file at: containers.json.

  2. Preload all the container images from the GitHub Container registry onto the Dependabot runner using the docker pull command.

    Note: You will need to repeat this step when you upgrade to a new minor version of GitHub Enterprise Server, or if you manually update the Dependabot action from For more information, see "Manually syncing actions from"

  3. When you have finished adding these images to the runner, you are ready to restrict internet access to the Dependabot runner, ensuring that it can still access your private registries for the required ecosystems and for your GitHub Enterprise Server instance.

    You must add the images first because Dependabot runners pull dependabot-updater and dependabot-proxy from the GitHub Container registry when Dependabot jobs start running.

Verifying the configuration of Dependabot runners

  1. For a test repository, configure Dependabot to access private registries and remove access to public registries. For more information, see "Configuring access to private registries for Dependabot" and "Removing Dependabot access to public registries."
  2. In the Insights tab for the repository, click Dependency graph to display details of the dependencies.
  3. Click Dependabot to display the ecosystems configured for version updates.
  4. For ecosystems that you want to test, click Last checked TIME ago to display the "Update logs" view.
  5. Click Check for updates to check for new updates to dependencies for that ecosystem.

When the check for updates is complete, you should check the "Update logs" view to verify that Dependabot accessed the configured private registries on your GitHub Enterprise Server instance to check for version updates.

After you have verified that the configuration is correct, ask repository administrators to update their Dependabot configurations to use private registries only. For more information, see "Removing Dependabot access to public registries."