Dependency graph can now be disabled for public repositories (#55632)

2025-12-19 18:10:59 -05:00 · 2025-05-20 09:33:49 +02:00
parent f7622a6d50
commit 2769c4bca2
8 changed files with 11 additions and 16 deletions
--- a/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md
+++ b/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md
@@ -61,9 +61,7 @@ As {% data variables.product.prodname_dependabot_alerts %} rely on the dependenc

 {% data reusables.repositories.enable-security-alerts %}

-{% ifversion fpt or ghec %}{% data variables.product.prodname_dotcom %} detects vulnerable dependencies in _public_ repositories and displays the dependency graph, but does not generate {% data variables.product.prodname_dependabot_alerts %} by default. Repository owners or people with admin access can enable {% data variables.product.prodname_dependabot_alerts %} for public repositories. Owners of private repositories, or people with admin access, can enable {% data variables.product.prodname_dependabot_alerts %} by enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for their repositories.
-
-You can also enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories owned by your user account or organization. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts).
+{% ifversion fpt or ghec %}Repository owners or people with admin access can enable {% data variables.product.prodname_dependabot_alerts %} for their repositories. You can also enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories owned by your user account or organization. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts).

 For information about access requirements for actions related to {% data variables.product.prodname_dependabot_alerts %}, see [AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization#access-requirements-for-security-features).

--- a/content/code-security/getting-started/quickstart-for-securing-your-repository.md
+++ b/content/code-security/getting-started/quickstart-for-securing-your-repository.md
@@ -75,15 +75,14 @@ For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alert

 Dependency review lets you visualize dependency changes in pull requests before they are merged into your repositories. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).

-Dependency review is a {% data variables.product.prodname_GH_code_security %} feature. {% ifversion fpt or ghec %}Dependency review is already enabled for all public repositories. Organizations that use {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_GH_code_security %} can additionally enable dependency review for private and internal repositories.{% endif %}
+Dependency review is a {% data variables.product.prodname_GH_code_security %} feature. {% ifversion fpt or ghec %}Dependency review is enabled for all repositories with the dependency graph enabled. Organizations that use {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_GH_code_security %} can additionally enable dependency review for private and internal repositories.{% endif %}

 To enable dependency review for a repository, ensure that the dependency graph is enabled and enable {% data variables.product.prodname_GH_code_security %}.

 1. From the main page of your repository, click **{% octicon "gear" aria-hidden="true" %} Settings**.
-1. Click **{% data variables.product.UI_advanced_security %}**.
-1. To the right of "{% data variables.product.prodname_code_security %}" or "{% data variables.product.prodname_GHAS %}", depending on your license type, click **Enable**.{% ifversion fpt or ghec %}
-1. Check that dependency graph is enabled for the repository.
-   * For public repositories, dependency graph is always enabled.{% elsif ghes %}
+1. Click **{% data variables.product.UI_advanced_security %}**.{% ifversion fpt or ghec %}
+1. To the right of {% data variables.product.prodname_code_security %}, click **Enable**.
+1. Under {% data variables.product.prodname_code_security %}, check that dependency graph is enabled for the repository. {% elsif ghes %}
 1. Check that dependency graph is configured for your enterprise.{% endif %}

 ## Managing {% data variables.product.prodname_dependabot_security_updates %}
--- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md
+++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md
@@ -37,7 +37,7 @@ When you create a pull request containing changes to dependencies that targets t
 {% ifversion fpt or ghec %}
 {% data reusables.dependency-graph.feature-availability %} For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository).

-Repository administrators can also set up the dependency graph for private repositories. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph).
+{% data reusables.dependency-graph.feature-availability %} See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph).

 {% endif %}

--- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md
+++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md
@@ -33,7 +33,7 @@ For more information, see [AUTOTITLE](/code-security/supply-chain-security/under

 ## Configuring the dependency graph

-To generate a dependency graph, {% data variables.product.github %} needs read-only access to the dependency manifest and lock files for a repository. The dependency graph is automatically generated for all public repositories and you can choose to enable it for private {% ifversion ghec %}and internal {% endif %}repositories, and public forks. For more information on viewing the dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository).
+To generate a dependency graph, {% data variables.product.github %} needs read-only access to the dependency manifest and lock files for a repository. The dependency graph can be enabled or disabled for all repositories. For more information on viewing the dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository).

 {% data reusables.dependency-submission.dependency-submission-link %}

--- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/customizing-your-dependency-review-action-configuration.md
+++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/customizing-your-dependency-review-action-configuration.md
@@ -24,7 +24,7 @@ This guide shows you how to add three very common customizations: failing builds

 This guide assumes that:

-* Dependency graph is enabled for the repository.{% ifversion fpt or ghec %} Dependency graph is enabled by default for public repositories and you can choose to enable it for private{% ifversion ghec %} and internal{% endif %} repositories, and public forks.{% endif %} For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository).
+* Dependency graph is enabled for the repository. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph).
 * {% data variables.product.prodname_actions %} is enabled for the repository. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository).

 ## Step 1: Adding the dependency review action
--- a/content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request.md
+++ b/content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request.md
@@ -25,7 +25,7 @@ shortTitle: Review dependency changes

 {% data reusables.dependency-review.feature-overview %}

-{% ifversion ghec %}Before you can use dependency review in a private or internal repository, or a public fork, you must enable the dependency graph. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph).{% endif %}
+{% ifversion ghec %}Before you can use dependency review, you must enable the dependency graph. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph).{% endif %}

 {% ifversion ghes %}Before you can use dependency review, you must enable the dependency graph and connect {% data variables.location.product_location %} to {% data variables.product.prodname_dotcom_the_website %}. For more information, see [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise).{% endif %}

--- a/data/reusables/dependabot/enabling-disabling-dependency-graph-private-repo-public-fork.md
+++ b/data/reusables/dependabot/enabling-disabling-dependency-graph-private-repo-public-fork.md
@@ -1,6 +1,4 @@
-Repository administrators can enable or disable the dependency graph for private {% ifversion ghec %}or internal{% endif %} repositories, or public forks.
-
-You can enable or disable the dependency graph for all repositories owned by your user account. For more information, see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-user-account-settings/managing-security-and-analysis-settings-for-your-personal-account).
+Repository administrators can enable or disable the dependency graph for all repositories owned by your user account, regardless of their visibility. See [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-user-account-settings/managing-security-and-analysis-settings-for-your-personal-account).

 You can also enable the dependency graph for multiple repositories in an organization at the same time. For more information, see {% ifversion security-configurations %}[AUTOTITLE](/code-security/securing-your-organization).{% else %}[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization).{% endif %}

--- a/data/reusables/dependency-graph/feature-availability.md
+++ b/data/reusables/dependency-graph/feature-availability.md
@@ -1 +1 @@
-The dependency graph is automatically generated for all public repositories. You can choose to enable it for forks and for private repositories.
+Repository administrators can enable or disable the dependency graph for repositories.