Skip to main content
설명서에 자주 업데이트를 게시하며 이 페이지의 번역이 계속 진행 중일 수 있습니다. 최신 정보는 영어 설명서를 참조하세요.
GitHub AE는 현재 제한된 릴리스에 있습니다.
All products
코드 보안

Dependabot 경고 보기 및 업데이트

이 문서의 내용

GitHub AE가 프로젝트에서 안전하지 않은 종속성을 검색하는 경우 리포지토리의 Dependabot 경고 탭에서 세부 정보를 볼 수 있습니다. 그런 다음, 프로젝트를 업데이트하여 경고를 해결하거나 해제할 수 있습니다.

이 기능을 사용할 수 있는 사용자

Repository administrators and organization owners can view and update dependencies, as well as users and teams with explicit access.

Your repository's Dependabot alerts tab lists all open and closed Dependabot alerts. You can filter alerts by package, ecosystem, or manifest. You can sort the list of alerts, and you can click into specific alerts for more details. You can also dismiss or reopen alerts. For more information, see "About Dependabot alerts."

You can filter and sort Dependabot alerts using a variety of filters and sort options available on the user interface. For more information, see "Prioritizing Dependabot alerts" below.

You can also audit actions taken in response to Dependabot alerts. For more information, see "Auditing security alerts."

Prioritizing Dependabot alerts

GitHub helps you prioritize fixing Dependabot alerts.

You can sort and filter Dependabot alerts by typing filters as key:value pairs into the search bar.

OptionDescriptionExample
ecosystemDisplays alerts for the selected ecosystemUse ecosystem:npm to show Dependabot alerts for npm
hasDisplays alerts meeting the selected filter criteriaUse has:patch to show alerts related to advisories that have a patch
isDisplays alerts based on their stateUse is:open to show open alerts
manifestDisplays alerts for the selected manifestUse manifest:webwolf/pom.xml to show alerts on the pom.xml file of the webwolf application
packageDisplays alerts for the selected packageUse package:django to show alerts for django
resolutionDisplays alerts of the selected resolution statusUse resolution:no-bandwidth to show alerts previously parked due to lack of resources or time to fix them
repoDisplays alerts based on the repository they relate to
Note that this filter is only available for security overview. For more information, see "About security overview"		Use repo:octocat-repo to show alerts in the repository called octocat-repo
severityDisplays alerts based on their level of severityUse severity:high to show alerts with a severity of High

In addition to the filters available via the search bar, you can sort and filter Dependabot alerts using the dropdown menus at the top of the alert list.

The search bar also allows for full text searching of alerts and related security advisories. You can search for part of a security advisory name or description to return the alerts in your repository that relate to that security advisory. For example, searching for yaml.load() API could execute arbitrary code will return Dependabot alerts linked to "PyYAML insecurely deserializes YAML strings leading to arbitrary code execution" as the search string appears in the advisory description.

Viewing Dependabot alerts

  1. On your enterprise, navigate to the main page of the repository.
  2. Under the repository name, click Security. If you cannot see the "Security" tab, select the dropdown menu, and then click Security. Screenshot of a repository header showing the tabs. The "Security" tab is highlighted by a dark orange outline.
  3. In the "Vulnerability alerts" sidebar of security overview, click Dependabot. If this option is missing, it means you don't have access to security alerts and need to be given access. For more information, see "Managing security and analysis settings for your repository." Screenshot of security overview, with the "Dependabot" tab highlighted with a dark orange outline.
  4. Optionally, to filter alerts, select a filter in a dropdown menu then click the filter that you would like to apply. You can also type filters into the search bar. For more information about filtering and sorting alerts, see "Prioritizing Dependabot alerts."
  5. Click the alert that you would like to view.

Reviewing and fixing alerts

It’s important to ensure that all of your dependencies are clean of any security weaknesses. When Dependabot discovers vulnerabilities in your dependencies, you should assess your project’s level of exposure and determine what remediation steps to take to secure your application.

In cases where a patched version is not available, or you can’t update to the secure version, Dependabot shares additional information to help you determine next steps. When you click through to view a Dependabot alert, you can see the full details of the security advisory for the dependency including the affected functions. You can then check whether your code calls the impacted functions. This information can help you further assess your risk level, and determine workarounds or if you’re able to accept the risk represented by the security advisory.

Fixing vulnerable dependencies

  1. View the details for an alert. For more information, see "Viewing Dependabot alerts" (above).

  2. You can use the information on the page to decide which version of the dependency to upgrade to and create a pull request to the manifest or lock file to a secure version.

  3. When you're ready to update your dependency and resolve the vulnerability, merge the pull request.

Dismissing Dependabot alerts

Tip: You can only dismiss open alerts.

If you schedule extensive work to upgrade a dependency, or decide that an alert does not need to be fixed, you can dismiss the alert. Dismissing alerts that you have already assessed makes it easier to triage new alerts as they appear.

  1. View the details for an alert. For more information, see "Viewing vulnerable dependencies" (above).

  2. Select the "Dismiss" dropdown, and click a reason for dismissing the alert. Unfixed dismissed alerts can be reopened later.

    Screenshot of the page for a Dependabot alert, with the "Dismiss" dropdown and its options highlighted with a dark orange outline.

Viewing and updating closed alerts

You can view all open alerts, and you can reopen alerts that have been previously dismissed. Closed alerts that have already been fixed cannot be reopened.

  1. On your enterprise, navigate to the main page of the repository.

  2. Under the repository name, click Security. If you cannot see the "Security" tab, select the dropdown menu, and then click Security. Screenshot of a repository header showing the tabs. The "Security" tab is highlighted by a dark orange outline.

  3. In the "Vulnerability alerts" sidebar of security overview, click Dependabot. If this option is missing, it means you don't have access to security alerts and need to be given access. For more information, see "Managing security and analysis settings for your repository." Screenshot of security overview, with the "Dependabot" tab highlighted with a dark orange outline.

  4. To just view closed alerts, click Closed.

  5. Click the alert that you would like to view or update.

  6. Optionally, if the alert was dismissed and you wish to reopen it, click Reopen. Alerts that have already been fixed cannot be reopened.

    Screenshot showing a closed Dependabot alert. A button, titled "Reopen", is highlighted in a dark orange outline.

Reviewing the audit logs for Dependabot alerts

When a member of your organization or enterprise performs an action related to Dependabot alerts, you can review the actions in the audit log. For more information about accessing the log, see "Reviewing the audit log for your organization" and "Accessing the audit log for your enterprise."

Events in your audit log for Dependabot alerts include details such as who performed the action, what the action was, and when the action was performed. For information on the Dependabot alerts actions, see the repository_vulnerability_alert category in "Audit log events for your organization" and "Audit log events for your enterprise."