jprdonnelly/docs
1
0
Fork 0
mirror of synced 2026-01-04 09:06:46 -05:00
Code Issues Projects Releases Wiki Activity

Improve and amend information about malware in Dependabot (#48626)

Browse Source 
Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com>
This commit is contained in:
mc
2024-01-18 11:48:29 +00:00
committed by GitHub
parent bffcfd95b5
commit 51f8256e8f
14 changed files with 65 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
data/reusables/advisory-database/github-reviewed-overview.md Normal file
View File

@@ -0,0 +1 @@
{% data variables.product.company_short %}-reviewed advisories are security vulnerabilities that have been mapped to packages in ecosystems we support. We carefully review each advisory for validity and ensure that they have a full description, and contain both ecosystem and package information.

1
data/reusables/advisory-database/malware-overview.md Normal file
View File

@@ -0,0 +1 @@
Malware advisories relate to vulnerabilities caused by malware, and are security advisories that {% data variables.product.prodname_dotcom %} publishes automatically into the {% data variables.product.prodname_advisory_database %}, directly from information provided by the npm security team. Malware advisories are exclusive to the npm ecosystem. {% data variables.product.prodname_dotcom %} doesn't edit or accept community contributions on these advisories.

1
data/reusables/advisory-database/unreviewed-overview.md Normal file
View File

@@ -0,0 +1 @@
Unreviewed advisories are security vulnerabilities that we publish automatically into the {% data variables.product.prodname_advisory_database %}, directly from the National Vulnerability Database feed.

5
data/reusables/dependabot/no-dependabot-alerts-for-malware.md Normal file
View File

@@ -0,0 +1,5 @@
{% ifversion GH-advisory-db-supports-malware %}
{% data variables.product.prodname_dependabot %} doesn't generate {% data variables.product.prodname_dependabot_alerts %} for malware. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#malware-advisories)."
{% endif %}

2
data/reusables/repositories/dependency-review.md
View File

@@ -1 +1 @@
Additionally, {% data variables.product.prodname_dotcom %} can review any dependencies added, updated, or removed in a pull request made against the default branch of a repository, and flag any changes that would reduce the security of your project. This allows you to spot and deal with vulnerable dependencies{% ifversion GH-advisory-db-supports-malware %} or malware{% endif %} before, rather than after, they reach your codebase. For more information, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request)."
Additionally, {% data variables.product.prodname_dotcom %} can review any dependencies added, updated, or removed in a pull request made against the default branch of a repository, and flag any changes that would reduce the security of your project. This allows you to spot and deal with vulnerable dependencies before, rather than after, they reach your codebase. For more information, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request)."