From 2769c4bca2356e16d9e65eadf537e3c5625dfc4d Mon Sep 17 00:00:00 2001 From: Sophie <29382425+sophietheking@users.noreply.github.com> Date: Tue, 20 May 2025 09:33:49 +0200 Subject: [PATCH] Dependency graph can now be disabled for public repositories (#55632) --- .../dependabot-alerts/about-dependabot-alerts.md | 4 +--- .../quickstart-for-securing-your-repository.md | 9 ++++----- .../about-the-dependency-graph.md | 2 +- .../configuring-the-dependency-graph.md | 2 +- ...mizing-your-dependency-review-action-configuration.md | 2 +- .../reviewing-dependency-changes-in-a-pull-request.md | 2 +- ...isabling-dependency-graph-private-repo-public-fork.md | 4 +--- data/reusables/dependency-graph/feature-availability.md | 2 +- 8 files changed, 11 insertions(+), 16 deletions(-) diff --git a/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md b/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md index fb955b16be..f8e24d5397 100644 --- a/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md +++ b/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md @@ -61,9 +61,7 @@ As {% data variables.product.prodname_dependabot_alerts %} rely on the dependenc {% data reusables.repositories.enable-security-alerts %} -{% ifversion fpt or ghec %}{% data variables.product.prodname_dotcom %} detects vulnerable dependencies in _public_ repositories and displays the dependency graph, but does not generate {% data variables.product.prodname_dependabot_alerts %} by default. Repository owners or people with admin access can enable {% data variables.product.prodname_dependabot_alerts %} for public repositories. Owners of private repositories, or people with admin access, can enable {% data variables.product.prodname_dependabot_alerts %} by enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for their repositories. - -You can also enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories owned by your user account or organization. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts). +{% ifversion fpt or ghec %}Repository owners or people with admin access can enable {% data variables.product.prodname_dependabot_alerts %} for their repositories. You can also enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories owned by your user account or organization. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts). For information about access requirements for actions related to {% data variables.product.prodname_dependabot_alerts %}, see [AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization#access-requirements-for-security-features). diff --git a/content/code-security/getting-started/quickstart-for-securing-your-repository.md b/content/code-security/getting-started/quickstart-for-securing-your-repository.md index efe33d1749..9490e969af 100644 --- a/content/code-security/getting-started/quickstart-for-securing-your-repository.md +++ b/content/code-security/getting-started/quickstart-for-securing-your-repository.md @@ -75,15 +75,14 @@ For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alert Dependency review lets you visualize dependency changes in pull requests before they are merged into your repositories. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review). -Dependency review is a {% data variables.product.prodname_GH_code_security %} feature. {% ifversion fpt or ghec %}Dependency review is already enabled for all public repositories. Organizations that use {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_GH_code_security %} can additionally enable dependency review for private and internal repositories.{% endif %} +Dependency review is a {% data variables.product.prodname_GH_code_security %} feature. {% ifversion fpt or ghec %}Dependency review is enabled for all repositories with the dependency graph enabled. Organizations that use {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_GH_code_security %} can additionally enable dependency review for private and internal repositories.{% endif %} To enable dependency review for a repository, ensure that the dependency graph is enabled and enable {% data variables.product.prodname_GH_code_security %}. 1. From the main page of your repository, click **{% octicon "gear" aria-hidden="true" %} Settings**. -1. Click **{% data variables.product.UI_advanced_security %}**. -1. To the right of "{% data variables.product.prodname_code_security %}" or "{% data variables.product.prodname_GHAS %}", depending on your license type, click **Enable**.{% ifversion fpt or ghec %} -1. Check that dependency graph is enabled for the repository. - * For public repositories, dependency graph is always enabled.{% elsif ghes %} +1. Click **{% data variables.product.UI_advanced_security %}**.{% ifversion fpt or ghec %} +1. To the right of {% data variables.product.prodname_code_security %}, click **Enable**. +1. Under {% data variables.product.prodname_code_security %}, check that dependency graph is enabled for the repository. {% elsif ghes %} 1. Check that dependency graph is configured for your enterprise.{% endif %} ## Managing {% data variables.product.prodname_dependabot_security_updates %} diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md index c65d043aa6..cd928cdf98 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md @@ -37,7 +37,7 @@ When you create a pull request containing changes to dependencies that targets t {% ifversion fpt or ghec %} {% data reusables.dependency-graph.feature-availability %} For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository). -Repository administrators can also set up the dependency graph for private repositories. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph). +{% data reusables.dependency-graph.feature-availability %} See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph). {% endif %} diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md index 3909d3012e..66cb634258 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md @@ -33,7 +33,7 @@ For more information, see [AUTOTITLE](/code-security/supply-chain-security/under ## Configuring the dependency graph -To generate a dependency graph, {% data variables.product.github %} needs read-only access to the dependency manifest and lock files for a repository. The dependency graph is automatically generated for all public repositories and you can choose to enable it for private {% ifversion ghec %}and internal {% endif %}repositories, and public forks. For more information on viewing the dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository). +To generate a dependency graph, {% data variables.product.github %} needs read-only access to the dependency manifest and lock files for a repository. The dependency graph can be enabled or disabled for all repositories. For more information on viewing the dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository). {% data reusables.dependency-submission.dependency-submission-link %} diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/customizing-your-dependency-review-action-configuration.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/customizing-your-dependency-review-action-configuration.md index 44c63f5099..39e2ae2893 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/customizing-your-dependency-review-action-configuration.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/customizing-your-dependency-review-action-configuration.md @@ -24,7 +24,7 @@ This guide shows you how to add three very common customizations: failing builds This guide assumes that: -* Dependency graph is enabled for the repository.{% ifversion fpt or ghec %} Dependency graph is enabled by default for public repositories and you can choose to enable it for private{% ifversion ghec %} and internal{% endif %} repositories, and public forks.{% endif %} For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository). +* Dependency graph is enabled for the repository. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph). * {% data variables.product.prodname_actions %} is enabled for the repository. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository). ## Step 1: Adding the dependency review action diff --git a/content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request.md b/content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request.md index ae5f92e893..9dada939c9 100644 --- a/content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request.md +++ b/content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request.md @@ -25,7 +25,7 @@ shortTitle: Review dependency changes {% data reusables.dependency-review.feature-overview %} -{% ifversion ghec %}Before you can use dependency review in a private or internal repository, or a public fork, you must enable the dependency graph. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph).{% endif %} +{% ifversion ghec %}Before you can use dependency review, you must enable the dependency graph. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph).{% endif %} {% ifversion ghes %}Before you can use dependency review, you must enable the dependency graph and connect {% data variables.location.product_location %} to {% data variables.product.prodname_dotcom_the_website %}. For more information, see [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise).{% endif %} diff --git a/data/reusables/dependabot/enabling-disabling-dependency-graph-private-repo-public-fork.md b/data/reusables/dependabot/enabling-disabling-dependency-graph-private-repo-public-fork.md index e778cfb117..d21724a7f4 100644 --- a/data/reusables/dependabot/enabling-disabling-dependency-graph-private-repo-public-fork.md +++ b/data/reusables/dependabot/enabling-disabling-dependency-graph-private-repo-public-fork.md @@ -1,6 +1,4 @@ -Repository administrators can enable or disable the dependency graph for private {% ifversion ghec %}or internal{% endif %} repositories, or public forks. - -You can enable or disable the dependency graph for all repositories owned by your user account. For more information, see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-user-account-settings/managing-security-and-analysis-settings-for-your-personal-account). +Repository administrators can enable or disable the dependency graph for all repositories owned by your user account, regardless of their visibility. See [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-user-account-settings/managing-security-and-analysis-settings-for-your-personal-account). You can also enable the dependency graph for multiple repositories in an organization at the same time. For more information, see {% ifversion security-configurations %}[AUTOTITLE](/code-security/securing-your-organization).{% else %}[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization).{% endif %} diff --git a/data/reusables/dependency-graph/feature-availability.md b/data/reusables/dependency-graph/feature-availability.md index e1088b9147..a24e660ae5 100644 --- a/data/reusables/dependency-graph/feature-availability.md +++ b/data/reusables/dependency-graph/feature-availability.md @@ -1 +1 @@ -The dependency graph is automatically generated for all public repositories. You can choose to enable it for forks and for private repositories. +Repository administrators can enable or disable the dependency graph for repositories.