Merge branch 'main' into patch-2
This commit is contained in:
Ramya Parimi
@@ -6,7 +6,7 @@ Read our [Code of Conduct](./CODE_OF_CONDUCT.md) to keep our community approacha
|
||||
|
||||
In this guide you will get an overview of the contribution workflow from opening an issue, creating a PR, reviewing, and merging the PR.
|
||||
|
||||
Use the table of contents icon <img src="./assets/images/table-of-contents.png" width="25" height="25" /> on the top left corner of the this document to get to a specific section of this guide quickly.
|
||||
Use the table of contents icon <img src="./assets/images/table-of-contents.png" width="25" height="25" /> on the top left corner of this document to get to a specific section of this guide quickly.
|
||||
|
||||
## New contributor guide
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@ This repository contains the documentation website code and Markdown source file
|
||||
|
||||
GitHub's Docs team works on pre-production content in a private repo that regularly syncs with this public repo.
|
||||
|
||||
Use the table of contents icon <img src="./assets/images/table-of-contents.png" width="25" height="25" /> on the top left corner of the this document to get to a specific section of this guide quickly.
|
||||
Use the table of contents icon <img src="./assets/images/table-of-contents.png" width="25" height="25" /> on the top left corner of this document to get to a specific section of this guide quickly.
|
||||
|
||||
## Contributing
|
||||
|
||||
@@ -60,4 +60,4 @@ When using the GitHub logos, be sure to follow the [GitHub logo guidelines](http
|
||||
|
||||
## Thanks :purple_heart:
|
||||
|
||||
Thanks for all your contributions and efforts towards improving the GitHub documentation. We thank you being part of our ✨ community ✨ !
|
||||
Thanks for all your contributions and efforts towards improving the GitHub documentation. We thank you being part of our :sparkles: community :sparkles: !
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 28 KiB After Width: | Height: | Size: 160 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 18 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 24 KiB |
@@ -134,8 +134,8 @@ Email notifications from {% data variables.product.product_name %} contain the f
|
||||
| --- | --- |
|
||||
| `From` address | This address will always be {% ifversion fpt %}'`notifications@github.com`'{% else %}'the no-reply email address configured by your site administrator'{% endif %}. |
|
||||
| `To` field | This field connects directly to the thread.{% ifversion not ghae %} If you reply to the email, you'll add a new comment to the conversation.{% endif %} |
|
||||
| `Cc` address | {% data variables.product.product_name %} will `Cc` you if you're subscribed to a conversation. The second `Cc` email address matches the notification reason. The suffix for these notification reasons is {% data variables.notifications.cc_address %}. The possible notification reasons are: <ul><li>`assign`: You were assigned to an issue or pull request.</li><li>`author`: You created an issue or pull request.</li><li>`ci_activity`: A {% data variables.product.prodname_actions %} workflow run that you triggered was completed.</li><li>`comment`: You commented on an issue or pull request.</li><li>`manual`: There was an update to an issue or pull request you manually subscribed to.</li><li>`mention`: You were mentioned on an issue or pull request.</li><li>`push`: Someone committed to a pull request you're subscribed to.</li><li>`review_requested`: You or a team you're a member of was requested to review a pull request.</li>{% ifversion not ghae %}<li>`security_alert`: {% data variables.product.prodname_dotcom %} detected a vulnerability in a repository you receive alerts for.</li>{% endif %}<li>`state_change`: An issue or pull request you're subscribed to was either closed or opened.</li><li>`subscribed`: There was an update in a repository you're watching.</li><li>`team_mention`: A team you belong to was mentioned on an issue or pull request.</li><li>`your_activity`: You opened, commented on, or closed an issue or pull request.</li></ul> |
|
||||
| `mailing list` field | This field identifies the name of the repository and its owner. The format of this address is always `<repository name>.<repository owner>.{% data variables.command_line.backticks %}`. |{% ifversion fpt or ghes %}
|
||||
| `Cc` address | {% data variables.product.product_name %} will `Cc` you if you're subscribed to a conversation. The second `Cc` email address matches the notification reason. The suffix for these notification reasons is {% data variables.notifications.cc_address %}. The possible notification reasons are: <ul><li>`assign`: You were assigned to an issue or pull request.</li><li>`author`: You created an issue or pull request.</li><li>`ci_activity`: A {% data variables.product.prodname_actions %} workflow run that you triggered was completed.</li><li>`comment`: You commented on an issue or pull request.</li><li>`manual`: There was an update to an issue or pull request you manually subscribed to.</li><li>`mention`: You were mentioned on an issue or pull request.</li><li>`push`: Someone committed to a pull request you're subscribed to.</li><li>`review_requested`: You or a team you're a member of was requested to review a pull request.</li>{% ifversion fpt or ghes or ghae-issue-4864 %}<li>`security_alert`: {% data variables.product.prodname_dotcom %} detected a vulnerability in a repository you receive alerts for.</li>{% endif %}<li>`state_change`: An issue or pull request you're subscribed to was either closed or opened.</li><li>`subscribed`: There was an update in a repository you're watching.</li><li>`team_mention`: A team you belong to was mentioned on an issue or pull request.</li><li>`your_activity`: You opened, commented on, or closed an issue or pull request.</li></ul> |
|
||||
| `mailing list` field | This field identifies the name of the repository and its owner. The format of this address is always `<repository name>.<repository owner>.{% data variables.command_line.backticks %}`. |{% ifversion fpt or ghes or ghae-issue-4864 %}
|
||||
| `X-GitHub-Severity` field | {% data reusables.repositories.security-alerts-x-github-severity %} The possible severity levels are:<ul><li>`low`</li><li>`moderate`</li><li>`high`</li><li>`critical`</li></ul>For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)." |{% endif %}
|
||||
|
||||
## Choosing your notification settings
|
||||
@@ -144,7 +144,7 @@ Email notifications from {% data variables.product.product_name %} contain the f
|
||||
{% data reusables.notifications-v2.manage-notifications %}
|
||||
3. On the notifications settings page, choose how you receive notifications when:
|
||||
- There are updates in repositories or team discussions you're watching or in a conversation you're participating in. For more information, see "[About participating and watching notifications](#about-participating-and-watching-notifications)."
|
||||
- You gain access to a new repository or you've joined a new team. For more information, see "[Automatic watching](#automatic-watching)."{% ifversion fpt or ghes %}
|
||||
- You gain access to a new repository or you've joined a new team. For more information, see "[Automatic watching](#automatic-watching)."{% ifversion fpt or ghes or ghae-issue-4864 %}
|
||||
- There are new {% data variables.product.prodname_dependabot_alerts %} in your repository. For more information, see "[{% data variables.product.prodname_dependabot_alerts %} notification options](#dependabot-alerts-notification-options)." {% endif %} {% ifversion fpt %}
|
||||
- There are workflow runs updates on repositories set up with {% data variables.product.prodname_actions %}. For more information, see "[{% data variables.product.prodname_actions %} notification options](#github-actions-notification-options)."{% endif %}
|
||||
|
||||
@@ -161,14 +161,14 @@ If "Automatically watch repositories" is disabled, then you will not automatical
|
||||
You can choose whether to watch or unwatch an individual repository. You can also choose to only be notified of {% ifversion fpt or ghes > 3.0 or ghae-next %}certain event types such as {% data reusables.notifications-v2.custom-notification-types %} (if enabled for the repository) {% else %}new releases{% endif %}, or completely ignore an individual repository.
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
2. In the upper-right corner, click the "Watch" drop-down menu to select a watch option.
|
||||
{% ifversion fpt or ghes > 3.0 or ghae-next %}
|
||||
2. In the upper-right corner, select the "Watch" drop-down menu to click a watch option.
|
||||
{% ifversion fpt or ghes > 3.0 or ghae-issue-4910 %}
|
||||
|
||||
|
||||
The **Custom** option allows you to further customize notifications so that you're only notified when specific events happen in the repository, in addition to participating and @mentions.
|
||||
{% else %}
|
||||
{% endif %}
|
||||
{% ifversion fpt or ghes > 3.0 or ghae-next %}
|
||||
{% ifversion fpt or ghes > 3.0 or ghae-issue-4910 %}
|
||||
|
||||
If you select "Issues", you will be notified about, and subscribed to, updates on every issue (including those that existed prior to you selecting this option) in the repository. If you're @mentioned in a pull request in this repository, you'll receive notifications for that too, and you'll be subscribed to updates on that specific pull request, in addition to being notified about issues.
|
||||
{% endif %}
|
||||
@@ -198,12 +198,8 @@ If you are a member of more than one organization, you can configure each one to
|
||||
5. Select one of your verified email addresses, then click **Save**.
|
||||
|
||||
|
||||
{% ifversion not ghae %}
|
||||
{% ifversion fpt or ghes %}
|
||||
{% ifversion fpt or ghes or ghae-issue-4864 %}
|
||||
## {% data variables.product.prodname_dependabot_alerts %} notification options
|
||||
{% else %}
|
||||
## Security alert notification options
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.notifications.vulnerable-dependency-notification-enable %}
|
||||
{% data reusables.notifications.vulnerable-dependency-notification-delivery-method-customization2 %}
|
||||
|
||||
@@ -114,14 +114,14 @@ To filter notifications for specific activity on {% data variables.product.produ
|
||||
- `is:gist`
|
||||
- `is:issue-or-pull-request`
|
||||
- `is:release`
|
||||
- `is:repository-invitation`{% ifversion not ghae %}
|
||||
- `is:repository-vulnerability-alert`
|
||||
- `is:repository-invitation`{% ifversion fpt or ghes or ghae-issue-4864 %}
|
||||
- `is:repository-vulnerability-alert`{% endif %}{% ifversion fpt %}
|
||||
- `is:repository-advisory`{% endif %}
|
||||
- `is:team-discussion`{% ifversion fpt %}
|
||||
- `is:discussion`{% endif %}
|
||||
|
||||
{% ifversion not ghae %}
|
||||
For information about reducing noise from notifications for {% ifversion fpt or ghes %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %}, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies)."
|
||||
{% ifversion fpt or ghes or ghae-issue-4864 %}
|
||||
For information about reducing noise from notifications for {% data variables.product.prodname_dependabot_alerts %}, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies)."
|
||||
{% endif %}
|
||||
|
||||
You can also use the `is:` query to describe how the notification was triaged.
|
||||
@@ -144,7 +144,7 @@ To filter notifications by why you've received an update, you can use the `reaso
|
||||
| `reason:invitation` | When you're invited to a team, organization, or repository.
|
||||
| `reason:manual` | When you click **Subscribe** on an issue or pull request you weren't already subscribed to.
|
||||
| `reason:mention` | You were directly @mentioned.
|
||||
| `reason:review-requested` | You or a team you're on have been requested to review a pull request.{% ifversion not ghae %}
|
||||
| `reason:review-requested` | You or a team you're on have been requested to review a pull request.{% ifversion fpt or ghes or ghae-issue-4864 %}
|
||||
| `reason:security-alert` | When a security alert is issued for a repository.{% endif %}
|
||||
| `reason:state-change` | When the state of a pull request or issue is changed. For example, an issue is closed or a pull request is merged.
|
||||
| `reason:team-mention` | When a team you're a member of is @mentioned.
|
||||
@@ -163,7 +163,7 @@ For example, to see notifications from the octo-org organization, use `org:octo-
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion fpt or ghes %}
|
||||
{% ifversion fpt or ghes or ghae-issue-4864 %}
|
||||
## {% data variables.product.prodname_dependabot %} custom filters
|
||||
|
||||
{% ifversion fpt %}
|
||||
@@ -175,8 +175,11 @@ If you use {% data variables.product.prodname_dependabot %} to keep your depende
|
||||
For more information about {% data variables.product.prodname_dependabot %}, see "[About managing vulnerable dependencies](/github/managing-security-vulnerabilities/about-managing-vulnerable-dependencies)."
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ghes %}
|
||||
If you use {% data variables.product.prodname_dependabot %} to keep your dependencies-up-to-date, you can use and save the `is:repository_vulnerability_alert` custom filter to show notifications for {% data variables.product.prodname_dependabot_alerts %}.
|
||||
{% ifversion ghes or ghae-issue-4864 %}
|
||||
|
||||
If you use {% data variables.product.prodname_dependabot %} to keep your dependencies-up-to-date, you can use and save these custom filters to show notifications for {% data variables.product.prodname_dependabot_alerts %}:
|
||||
- `is:repository_vulnerability_alert`
|
||||
- `reason:security_alert`
|
||||
|
||||
For more information about {% data variables.product.prodname_dependabot %}, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
|
||||
{% endif %}
|
||||
|
||||
@@ -43,8 +43,8 @@ The repository owner has full control of the repository. In addition to the acti
|
||||
| Delete and restore packages | "[Deleting and restoring a package](/packages/learn-github-packages/deleting-and-restoring-a-package)" |{% endif %}{% ifversion ghes = 2.22 or ghes = 3.0 or ghae %}
|
||||
| Delete packages | "[Deleting packages](/packages/learn-github-packages/deleting-a-package)" |{% endif %}
|
||||
| Customize the repository's social media preview | "[Customizing your repository's social media preview](/github/administering-a-repository/customizing-your-repositorys-social-media-preview)" |
|
||||
| Create a template from the repository | "[Creating a template repository](/github/creating-cloning-and-archiving-repositories/creating-a-template-repository)" |{% ifversion fpt or ghes %}
|
||||
| Receive {% ifversion fpt or ghes %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %} for vulnerable dependencies | "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" |{% endif %}{% ifversion fpt %}
|
||||
| Create a template from the repository | "[Creating a template repository](/github/creating-cloning-and-archiving-repositories/creating-a-template-repository)" |{% ifversion fpt or ghes or ghae-issue-4864 %}
|
||||
| Control access to {% data variables.product.prodname_dependabot_alerts %} alerts for vulnerable dependencies | "[Managing security and analysis settings for your repository](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)" |{% endif %}{% ifversion fpt %}
|
||||
| Dismiss {% data variables.product.prodname_dependabot_alerts %} in the repository | "[Viewing and updating vulnerable dependencies in your repository](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)" |
|
||||
| Manage data use for a private repository | "[Managing data use settings for your private repository](/github/understanding-how-github-uses-and-protects-your-data/managing-data-use-settings-for-your-private-repository)"|{% endif %}
|
||||
| Define code owners for the repository | "[About code owners](/github/creating-cloning-and-archiving-repositories/about-code-owners)" |
|
||||
|
||||
@@ -67,7 +67,9 @@ Before creating your {% data variables.product.prodname_actions %} workflow, you
|
||||
|
||||
See the documentation for each action used below for the recommended IAM policies for the IAM user, and methods for handling the access key credentials.
|
||||
|
||||
{% ifversion fpt or ghes > 3.0 or ghae %}
|
||||
5. Optionally, configure a deployment environment. {% data reusables.actions.about-environments %}
|
||||
{% endif %}
|
||||
|
||||
## Creating the workflow
|
||||
|
||||
|
||||
@@ -69,7 +69,9 @@ Before creating your {% data variables.product.prodname_actions %} workflow, you
|
||||
|
||||
4. For Linux apps, add an app setting called `WEBSITE_WEBDEPLOY_USE_SCM` and set it to true in your app. For more information, see "[Configure apps in the portal](https://docs.microsoft.com/en-us/azure/app-service/configure-common#configure-app-settings)" in the Azure documentation.
|
||||
|
||||
{% ifversion fpt or ghes > 3.0 or ghae %}
|
||||
5. Optionally, configure a deployment environment. {% data reusables.actions.about-environments %}
|
||||
{% endif %}
|
||||
|
||||
## Creating the workflow
|
||||
|
||||
|
||||
@@ -105,9 +105,11 @@ Store the name of your project as a secret named `GKE_PROJECT`. For more informa
|
||||
### (Optional) Configuring kustomize
|
||||
Kustomize is an optional tool used for managing YAML specs. After creating a _kustomization_ file, the workflow below can be used to dynamically set fields of the image and pipe in the result to `kubectl`. For more information, see [kustomize usage](https://github.com/kubernetes-sigs/kustomize#usage).
|
||||
|
||||
{% ifversion fpt or ghes > 3.0 or ghae %}
|
||||
### (Optional) Configure a deployment environment
|
||||
|
||||
{% data reusables.actions.about-environments %}
|
||||
{% endif %}
|
||||
|
||||
## Creating the workflow
|
||||
|
||||
|
||||
@@ -358,7 +358,7 @@ jobs:
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
{% data variables.product.prodname_actions %} caching is only applicable to {% data variables.product.prodname_dotcom %}-hosted runners. For more information, see "<a href="/actions/guides/caching-dependencies-to-speed-up-workflows" class="dotcom-only">Caching dependencies to speed up workflows</a>."
|
||||
{% data variables.product.prodname_actions %} caching is only applicable for repositories hosted on {% data variables.product.prodname_dotcom_the_website %}. For more information, see "<a href="/actions/guides/caching-dependencies-to-speed-up-workflows" class="dotcom-only">Caching dependencies to speed up workflows</a>."
|
||||
|
||||
## Artifacts
|
||||
|
||||
|
||||
@@ -334,7 +334,7 @@ cache: npm
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
{% data variables.product.prodname_actions %} caching is only applicable to {% data variables.product.prodname_dotcom %}-hosted runners. For more information, see "<a href="/actions/guides/caching-dependencies-to-speed-up-workflows" class="dotcom-only">Caching dependencies to speed up workflows</a>."
|
||||
{% data variables.product.prodname_actions %} caching is only applicable for repositories hosted on {% data variables.product.prodname_dotcom_the_website %}. For more information, see "<a href="/actions/guides/caching-dependencies-to-speed-up-workflows" class="dotcom-only">Caching dependencies to speed up workflows</a>."
|
||||
|
||||
## Examples of common tasks
|
||||
|
||||
|
||||
@@ -33,7 +33,7 @@ When you enable {% data variables.product.prodname_GH_advanced_security %} for y
|
||||
|
||||
- {% data variables.product.prodname_code_scanning_capc %}, see "[Configuring {% data variables.product.prodname_code_scanning %} for your appliance](/admin/advanced-security/configuring-code-scanning-for-your-appliance#prerequisites-for-code-scanning)."
|
||||
- {% data variables.product.prodname_secret_scanning_caps %}, see "[Configuring {% data variables.product.prodname_secret_scanning %} for your appliance](/admin/advanced-security/configuring-secret-scanning-for-your-appliance#prerequisites-for-secret-scanning)."{% endif %}
|
||||
- {% data variables.product.prodname_dependabot %}, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/admin/configuration/managing-connections-between-github-enterprise-server-and-github-enterprise-cloud/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."
|
||||
- {% data variables.product.prodname_dependabot %}, see "[Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} on your enterprise account](/admin/configuration/managing-connections-between-your-enterprise-accounts/enabling-the-dependency-graph-and-dependabot-alerts-on-your-enterprise-account)."
|
||||
|
||||
## Checking whether your license includes {% data variables.product.prodname_GH_advanced_security %}
|
||||
|
||||
|
||||
@@ -1,100 +0,0 @@
|
||||
---
|
||||
title: Enabling alerts for vulnerable dependencies on GitHub Enterprise Server
|
||||
intro: 'You can connect {% data variables.product.product_location %} to {% data variables.product.prodname_ghe_cloud %} and enable the dependency graph and {% ifversion ghes %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts in repositories in your instance.'
|
||||
shortTitle: Enable alerts for dependencies
|
||||
miniTocMaxHeadingLevel: 3
|
||||
redirect_from:
|
||||
- /enterprise/admin/installation/enabling-security-alerts-for-vulnerable-dependencies-on-github-enterprise-server
|
||||
- /enterprise/admin/configuration/enabling-security-alerts-for-vulnerable-dependencies-on-github-enterprise-server
|
||||
- /enterprise/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server
|
||||
- /admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server
|
||||
- /admin/configuration/managing-connections-between-github-enterprise-server-and-github-enterprise-cloud/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server
|
||||
permissions: 'Site administrators for {% data variables.product.prodname_ghe_server %} who are also owners of the connected {% data variables.product.prodname_ghe_cloud %} organization or enterprise account can enable the dependency graph and {% data variables.product.prodname_dependabot %} alerts on {% data variables.product.prodname_ghe_server %}.'
|
||||
versions:
|
||||
ghes: '*'
|
||||
type: how_to
|
||||
topics:
|
||||
- Enterprise
|
||||
- Security
|
||||
- Dependency graph
|
||||
- Dependabot
|
||||
---
|
||||
## About alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}
|
||||
|
||||
To identify vulnerable dependencies in your repository and receive alerts about vulnerabilities, you need to enable two security features:
|
||||
- The dependency graph
|
||||
- {% data variables.product.prodname_dependabot %} alerts
|
||||
|
||||
For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)" and "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
|
||||
|
||||
{% data reusables.repositories.tracks-vulnerabilities %}
|
||||
|
||||
You can connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %}, then sync vulnerability data to your instance and generate {% data variables.product.prodname_dependabot_alerts %} in repositories with a vulnerable dependency.
|
||||
|
||||
After connecting {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %} and enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies, vulnerability data is synced from {% data variables.product.prodname_dotcom_the_website %} to your instance once every hour. You can also choose to manually sync vulnerability data at any time. No code or information about code from {% data variables.product.product_location %} is uploaded to {% data variables.product.prodname_dotcom_the_website %}.
|
||||
|
||||
When {% data variables.product.product_location %} receives information about a vulnerability, it will identify repositories in your instance that use the affected version of the dependency and generate {% data variables.product.prodname_dependabot_alerts %}. You can customize how you receive {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies/#configuring-notifications-for-dependabot-alerts)."
|
||||
|
||||
Before enabling the dependency graph and {% ifversion ghes > 2.21 %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies on {% data variables.product.product_location %}, you must connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[Connecting your enterprise account to {% data variables.product.prodname_ghe_cloud %}](/admin/configuration/managing-connections-between-your-enterprise-accounts/connecting-your-enterprise-account-to-github-enterprise-cloud)."
|
||||
|
||||
## Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} on GitHub Enterprise Server
|
||||
|
||||
For {% data variables.product.product_location %} to generate {% data variables.product.prodname_dependabot_alerts %} whenever vulnerabilities are detected on your repositories:
|
||||
- You must connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_ghe_cloud %}](/admin/guides/installation/connecting-github-enterprise-server-to-github-enterprise-cloud)."
|
||||
- You must enable the dependency graph.
|
||||
|
||||
{% ifversion ghes > 3.1 %}
|
||||
You can enable the dependency graph via the {% data variables.enterprise.management_console %} or the administrative shell. We recommend you follow the {% data variables.enterprise.management_console %} route unless {% data variables.product.product_location %} uses clustering.
|
||||
|
||||
### Enabling the dependency graph via the {% data variables.enterprise.management_console %}
|
||||
{% endif %}{% ifversion ghes > 3.1 %}
|
||||
{% data reusables.enterprise_site_admin_settings.sign-in %}
|
||||
{% data reusables.enterprise_site_admin_settings.access-settings %}
|
||||
{% data reusables.enterprise_site_admin_settings.management-console %}
|
||||
{% data reusables.enterprise_management_console.advanced-security-tab %}
|
||||
1. Under "Security," click **Dependency graph**.
|
||||
|
||||
{% data reusables.enterprise_management_console.save-settings %}
|
||||
1. Click **Visit your instance**.
|
||||
|
||||
### Enabling the dependency graph via the administrative shell
|
||||
{% else %}
|
||||
### Enabling the dependency graph
|
||||
{% endif %}
|
||||
{% data reusables.enterprise_site_admin_settings.sign-in %}
|
||||
1. In the administrative shell, enable the dependency graph on {% data variables.product.product_location %}:
|
||||
``` shell
|
||||
$ {% ifversion ghes > 3.1 %}ghe-config app.dependency-graph.enabled true{% else %}ghe-config app.github.dependency-graph-enabled true{% endif %}
|
||||
```
|
||||
{% note %}
|
||||
|
||||
**Note**: For more information about enabling access to the administrative shell via SSH, see "[Accessing the administrative shell (SSH)](/enterprise/{{ currentVersion }}/admin/configuration/accessing-the-administrative-shell-ssh)."
|
||||
|
||||
{% endnote %}
|
||||
1. Apply the configuration.
|
||||
```shell
|
||||
$ ghe-config-apply
|
||||
```
|
||||
1. Return to {% data variables.product.prodname_ghe_server %}.
|
||||
|
||||
### Enabling {% data variables.product.prodname_dependabot_alerts %}
|
||||
|
||||
Before enabling {% data variables.product.prodname_dependabot_alerts %} for your instance, you need to enable the dependency graph. For more information, see above.
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}{% ifversion ghes < 3.1 %}{% data reusables.enterprise-accounts.settings-tab %}{% endif %}{% data reusables.enterprise-accounts.github-connect-tab %}
|
||||
1. Under "Repositories can be scanned for vulnerabilities", use the drop-down menu and select **Enabled without notifications**. Optionally, to enable alerts with notifications, select **Enabled with notifications**.
|
||||
|
||||
{% note %}
|
||||
|
||||
We recommend configuring {% data variables.product.prodname_dependabot_alerts %} without notifications for the first few days to avoid an overload of emails. After a few days, you can enable notifications to receive {% data variables.product.prodname_dependabot_alerts %} as usual.
|
||||
|
||||
{% endnote %}
|
||||
## Viewing vulnerable dependencies on {% data variables.product.prodname_ghe_server %}
|
||||
|
||||
You can view all vulnerabilities in {% data variables.product.product_location %} and manually sync vulnerability data from {% data variables.product.prodname_dotcom_the_website %} to update the list.
|
||||
|
||||
{% data reusables.enterprise_site_admin_settings.access-settings %}
|
||||
2. In the left sidebar, click **Vulnerabilities**.
|
||||
|
||||
3. To sync vulnerability data, click **Sync Vulnerabilities now**.
|
||||
|
||||
@@ -0,0 +1,114 @@
|
||||
---
|
||||
title: Enabling the dependency graph and Dependabot alerts on your enterprise account
|
||||
intro: 'You can connect {% data variables.product.product_location %} to {% data variables.product.prodname_ghe_cloud %} and enable the dependency graph and {% data variables.product.prodname_dependabot %} alerts in repositories in your instance.'
|
||||
shortTitle: Enable dependency analysis
|
||||
redirect_from:
|
||||
- /enterprise/admin/installation/enabling-security-alerts-for-vulnerable-dependencies-on-github-enterprise-server
|
||||
- /enterprise/admin/configuration/enabling-security-alerts-for-vulnerable-dependencies-on-github-enterprise-server
|
||||
- /enterprise/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server
|
||||
- /admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server
|
||||
- /admin/configuration/managing-connections-between-github-enterprise-server-and-github-enterprise-cloud/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server
|
||||
- /admin/configuration/managing-connections-between-your-enterprise-accounts/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server
|
||||
permissions: 'Enterprise owners who are also owners of the connected {% data variables.product.prodname_ghe_cloud %} organization or enterprise account can enable the dependency graph and {% data variables.product.prodname_dependabot %} alerts on {% data variables.product.product_location %}.'
|
||||
versions:
|
||||
ghes: '*'
|
||||
ghae: "issue-4864"
|
||||
type: how_to
|
||||
topics:
|
||||
- Enterprise
|
||||
- Security
|
||||
- Dependency graph
|
||||
- Dependabot
|
||||
---
|
||||
## About alerts for vulnerable dependencies on {% data variables.product.product_location %}
|
||||
|
||||
{% data reusables.dependabot.dependabot-alerts-beta %}
|
||||
|
||||
{% data variables.product.prodname_dotcom %} identifies vulnerable dependencies in repositories and creates {% data variables.product.prodname_dependabot_alerts %} on {% data variables.product.product_location %}, using:
|
||||
|
||||
- Data from the {% data variables.product.prodname_advisory_database %}
|
||||
- The dependency graph service
|
||||
|
||||
For more information about these features, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)" and "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
|
||||
|
||||
### About synchronization of data from the {% data variables.product.prodname_advisory_database %}
|
||||
|
||||
{% data reusables.repositories.tracks-vulnerabilities %}
|
||||
|
||||
You can connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %} with {% data variables.product.prodname_github_connect %}. Once connected, vulnerability data is synced from the {% data variables.product.prodname_advisory_database %} to your instance once every hour. You can also choose to manually sync vulnerability data at any time. No code or information about code from {% data variables.product.product_location %} is uploaded to {% data variables.product.prodname_dotcom_the_website %}.
|
||||
|
||||
### About generation of {% data variables.product.prodname_dependabot_alerts %}
|
||||
|
||||
If you enable vulnerability detection, when {% data variables.product.product_location %} receives information about a vulnerability, it identifies repositories in your instance that use the affected version of the dependency and generates {% data variables.product.prodname_dependabot_alerts %}. You can choose whether or not to notify users automatically about new {% data variables.product.prodname_dependabot_alerts %}.
|
||||
|
||||
## Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies on {% data variables.product.product_location %}
|
||||
|
||||
### Prerequisites
|
||||
|
||||
For {% data variables.product.product_location %} to detect vulnerable dependencies and generate {% data variables.product.prodname_dependabot_alerts %}:
|
||||
- You must connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %}. {% ifversion ghae %}This also enables the dependency graph service. {% endif %}{% ifversion ghes or ghae-next %}For more information, see "[Connecting your enterprise account to {% data variables.product.prodname_ghe_cloud %}](/admin/configuration/managing-connections-between-your-enterprise-accounts/connecting-your-enterprise-account-to-github-enterprise-cloud)."{% endif %}
|
||||
{% ifversion ghes %}- You must enable the dependency graph service.{% endif %}
|
||||
- You must enable vulnerability scanning.
|
||||
|
||||
{% ifversion ghes %}
|
||||
{% ifversion ghes > 3.1 %}
|
||||
You can enable the dependency graph via the {% data variables.enterprise.management_console %} or the administrative shell. We recommend you follow the {% data variables.enterprise.management_console %} route unless {% data variables.product.product_location %} uses clustering.
|
||||
|
||||
### Enabling the dependency graph via the {% data variables.enterprise.management_console %}
|
||||
{% data reusables.enterprise_site_admin_settings.sign-in %}
|
||||
{% data reusables.enterprise_site_admin_settings.access-settings %}
|
||||
{% data reusables.enterprise_site_admin_settings.management-console %}
|
||||
{% data reusables.enterprise_management_console.advanced-security-tab %}
|
||||
1. Under "Security," click **Dependency graph**.
|
||||
|
||||
{% data reusables.enterprise_management_console.save-settings %}
|
||||
1. Click **Visit your instance**.
|
||||
|
||||
### Enabling the dependency graph via the administrative shell
|
||||
{% endif %}{% ifversion ghes < 3.2 %}
|
||||
### Enabling the dependency graph
|
||||
{% endif %}
|
||||
{% data reusables.enterprise_site_admin_settings.sign-in %}
|
||||
1. In the administrative shell, enable the dependency graph on {% data variables.product.product_location %}:
|
||||
``` shell
|
||||
$ {% ifversion ghes > 3.1 %}ghe-config app.dependency-graph.enabled true{% else %}ghe-config app.github.dependency-graph-enabled true{% endif %}
|
||||
```
|
||||
{% note %}
|
||||
|
||||
**Note**: For more information about enabling access to the administrative shell via SSH, see "[Accessing the administrative shell (SSH)](/enterprise/{{ currentVersion }}/admin/configuration/accessing-the-administrative-shell-ssh)."
|
||||
|
||||
{% endnote %}
|
||||
1. Apply the configuration.
|
||||
```shell
|
||||
$ ghe-config-apply
|
||||
```
|
||||
1. Return to {% data variables.product.prodname_ghe_server %}.
|
||||
{% endif %}
|
||||
|
||||
### Enabling {% data variables.product.prodname_dependabot_alerts %}
|
||||
|
||||
{% ifversion ghes %}
|
||||
Before enabling {% data variables.product.prodname_dependabot_alerts %} for your instance, you need to enable the dependency graph. For more information, see above.
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{%- ifversion ghes < 3.1 %}{% data reusables.enterprise-accounts.settings-tab %}{% endif %}
|
||||
{% data reusables.enterprise-accounts.github-connect-tab %}
|
||||
1. Under "Repositories can be scanned for vulnerabilities", select the drop-down menu and click **Enabled without notifications**. Optionally, to enable alerts with notifications, click **Enabled with notifications**.
|
||||
|
||||
|
||||
{% tip %}
|
||||
|
||||
**Tip**: We recommend configuring {% data variables.product.prodname_dependabot_alerts %} without notifications for the first few days to avoid an overload of emails. After a few days, you can enable notifications to receive {% data variables.product.prodname_dependabot_alerts %} as usual.
|
||||
|
||||
{% endtip %}
|
||||
|
||||
## Viewing vulnerable dependencies on {% data variables.product.product_location %}
|
||||
|
||||
You can view all vulnerabilities in {% data variables.product.product_location %} and manually sync vulnerability data from {% data variables.product.prodname_dotcom_the_website %} to update the list.
|
||||
|
||||
{% data reusables.enterprise_site_admin_settings.access-settings %}
|
||||
2. In the left sidebar, click **Vulnerabilities**.
|
||||
|
||||
3. To sync vulnerability data, click **Sync Vulnerabilities now**.
|
||||
|
||||
@@ -18,7 +18,7 @@ children:
|
||||
- /connecting-your-enterprise-account-to-github-enterprise-cloud
|
||||
- /enabling-unified-search-between-your-enterprise-account-and-githubcom
|
||||
- /enabling-unified-contributions-between-your-enterprise-account-and-githubcom
|
||||
- /enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server
|
||||
- /enabling-the-dependency-graph-and-dependabot-alerts-on-your-enterprise-account
|
||||
- /enabling-automatic-user-license-sync-between-github-enterprise-server-and-github-enterprise-cloud
|
||||
shortTitle: Connect enterprise accounts
|
||||
---
|
||||
|
||||
@@ -8,6 +8,7 @@ versions:
|
||||
fpt: '*'
|
||||
ghes: '>=3.0'
|
||||
ghae: '*'
|
||||
miniTocMaxHeadingLevel: 3
|
||||
redirect_from:
|
||||
- /github/managing-security-vulnerabilities/managing-alerts-from-automated-code-scanning
|
||||
- /github/finding-security-vulnerabilities-and-errors-in-your-code/managing-alerts-from-code-scanning
|
||||
@@ -58,6 +59,25 @@ To calculate the security severity of an alert, we use Common Vulnerability Scor
|
||||
|
||||
By default, any code scanning results with a security severity of `Critical` or `High` will cause a check failure. You can specify which security severity level for code scanning results should cause a check failure. For more information, see "[Defining the severities causing pull request check failure](/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#defining-the-severities-causing-pull-request-check-failure)."{% endif %}
|
||||
|
||||
### About labels for alerts that are not found in application code
|
||||
|
||||
{% data variables.product.product_name %} assigns a category label to alerts that are not found in application code. The label relates to the location of the alert.
|
||||
|
||||
- **Generated**: Code generated by the build process
|
||||
- **Test**: Test code
|
||||
- **Library**: Library or third-party code
|
||||
- **Documentation**: Documentation
|
||||
|
||||
{% data variables.product.prodname_code_scanning_capc %} categorizes files by file path. You cannot manually categorize source files.
|
||||
|
||||
Here is an example from the {% data variables.product.prodname_code_scanning %} alert list of an alert marked as occuring in library code.
|
||||
|
||||
|
||||
|
||||
On the alert page, you can see that the filepath is marked as library code (`Library` label).
|
||||
|
||||
|
||||
|
||||
## Viewing the alerts for a repository
|
||||
|
||||
Anyone with read permission for a repository can see {% data variables.product.prodname_code_scanning %} annotations on pull requests. For more information, see "[Triaging {% data variables.product.prodname_code_scanning %} alerts in pull requests](/code-security/secure-coding/triaging-code-scanning-alerts-in-pull-requests)."
|
||||
@@ -112,14 +132,7 @@ If you enter multiple filters, the view will show alerts matching _all_ these fi
|
||||
|
||||
### Restricting results to application code only
|
||||
|
||||
You can use the "Only alerts in application code" filter or `autofilter:true` keyword and value to restrict results to alerts in application code. Application code excludes the following.
|
||||
|
||||
- Code generated by the build process
|
||||
- Test code
|
||||
- Library or third-party code
|
||||
- Documentation
|
||||
|
||||
{% data variables.product.prodname_code_scanning_capc %} categorizes files by file path. At this time, you cannot manually categorize source files.
|
||||
You can use the "Only alerts in application code" filter or `autofilter:true` keyword and value to restrict results to alerts in application code. See "[About labels for alerts not in application code](#about-labels-for-alerts-that-are-not-found-in-application-code)" above for more information about the types of code that are not application code.
|
||||
|
||||
{% ifversion fpt or ghes > 3.1 %}
|
||||
|
||||
|
||||
@@ -19,9 +19,9 @@ topics:
|
||||
|
||||
The {% data variables.product.prodname_advisory_database %} contains a curated list of security vulnerabilities that you can view, search, and filter. {% data reusables.security-advisory.link-browsing-advisory-db %}
|
||||
|
||||
{% ifversion fpt or ghes > 2.22 %}
|
||||
{% ifversion fpt or ghes > 2.22 or ghae-issue-4864 %}
|
||||
## Available for all repositories
|
||||
|
||||
{% endif %}
|
||||
{% ifversion fpt or ghes > 3.0 or ghae-next %}
|
||||
### Security policy
|
||||
|
||||
@@ -39,9 +39,11 @@ View alerts about dependencies that are known to contain security vulnerabilitie
|
||||
and "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ghes > 2.22 %}
|
||||
{% ifversion ghes > 2.22 or ghae-issue-4864 %}
|
||||
### {% data variables.product.prodname_dependabot_alerts %}
|
||||
|
||||
{% data reusables.dependabot.dependabot-alerts-beta %}
|
||||
|
||||
View alerts about dependencies that are known to contain security vulnerabilities, and manage these alerts. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
|
||||
{% endif %}
|
||||
|
||||
@@ -51,6 +53,7 @@ View alerts about dependencies that are known to contain security vulnerabilitie
|
||||
Use {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for {% data variables.product.prodname_dependabot_security_updates %} to successfully raise pull requests to upgrade vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-dependabot-version-updates)."
|
||||
{% endif %}
|
||||
|
||||
{% ifversion fpt or ghes > 2.22 or ghae-issue-4864 %}
|
||||
### Dependency graph
|
||||
The dependency graph allows you to explore the ecosystems and packages that your repository depends on and the repositories and packages that depend on your repository.
|
||||
|
||||
@@ -75,7 +78,7 @@ Automatically detect security vulnerabilities and coding errors in new or modifi
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion fpt or ghes > 3.1 %}
|
||||
{% ifversion fpt or ghes > 3.1 or ghae-issue-4864 %}
|
||||
### Dependency review
|
||||
|
||||
Show the full impact of changes to dependencies and see details of any vulnerable versions before you merge a pull request. For more information, see "[About dependency review](/code-security/supply-chain-security/about-dependency-review)."
|
||||
|
||||
@@ -32,26 +32,32 @@ You can create a default security policy that will display in any of your organi
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion fpt or ghes > 2.22 %}
|
||||
{% ifversion fpt or ghes > 2.22 or ghae-issue-4864 %}
|
||||
## Managing {% data variables.product.prodname_dependabot_alerts %} and the dependency graph
|
||||
|
||||
By default, {% data variables.product.prodname_dotcom %} detects vulnerabilities in public repositories and generates {% data variables.product.prodname_dependabot_alerts %} and a dependency graph. You can enable or disable {% data variables.product.prodname_dependabot_alerts %} and the dependency graph for all repositories owned by your organization.
|
||||
{% ifversion fpt %}By default, {% data variables.product.prodname_dotcom %} detects vulnerabilities in public repositories and generates {% data variables.product.prodname_dependabot_alerts %} and a dependency graph. You can enable or disable {% data variables.product.prodname_dependabot_alerts %} and the dependency graph for all private repositories owned by your organization.
|
||||
|
||||
1. Click your profile photo, then click **Organizations**.
|
||||
2. Click **Settings** next to your organization.
|
||||
3. Click **Security & analysis**.
|
||||
4. Click **Enable all** or **Disable all** next to the feature that you want to manage.
|
||||
5. Optionally, select **Automatically enable for new repositories**.
|
||||
|
||||
For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)," "[Exploring the dependencies of a repository](/code-security/supply-chain-security/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph-for-a-private-repository)," and "[Managing security and analysis settings for your organization](/organizations/keeping-your-organization-secure/managing-security-and-analysis-settings-for-your-organization)."
|
||||
|
||||
5. Optionally, select **Automatically enable for new repositories**.
|
||||
{% endif %}
|
||||
|
||||
{% ifversion fpt or ghes > 3.1 %}
|
||||
{% data reusables.dependabot.dependabot-alerts-beta %}
|
||||
{% data reusables.dependabot.dependabot-alerts-dependency-graph-enterprise %}
|
||||
|
||||
For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)," "[Exploring the dependencies of a repository](/code-security/supply-chain-security/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph-for-a-private-repository)," and "[Managing security and analysis settings for your organization](/organizations/keeping-your-organization-secure/managing-security-and-analysis-settings-for-your-organization)."
|
||||
{% endif %}
|
||||
|
||||
{% ifversion fpt or ghes > 3.1 or ghae-issue-4864 %}
|
||||
|
||||
## Managing dependency review
|
||||
|
||||
Dependency review lets you visualize dependency changes in pull requests before they are merged into your repositories. Dependency review is available in all public repositories and in repositories owned by organizations with an {% data variables.product.prodname_advanced_security %} license that have the dependency graph enabled. For more information, see "[About dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)."
|
||||
Dependency review lets you visualize dependency changes in pull requests before they are merged into your repositories.
|
||||
{% ifversion fpt %}Dependency review is available in all public repositories. For private and internal repositories you require a license for {% data variables.product.prodname_advanced_security %}. To enable dependency review for an organization, enable the dependency graph and enable {% data variables.product.prodname_advanced_security %}.
|
||||
{% elsif ghes or ghae %}Dependency review is available when dependency graph is enabled for {% data variables.product.product_location %} and you enable {% data variables.product.prodname_advanced_security %} for the organization (see below).{% endif %}
|
||||
For more information, see "[About dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
@@ -79,7 +85,11 @@ To enable {% data variables.product.prodname_dependabot_version_updates %}, you
|
||||
{% ifversion fpt or ghes > 2.22 or ghae %}
|
||||
## Managing {% data variables.product.prodname_GH_advanced_security %}
|
||||
|
||||
{% ifversion fpt or ghes > 2.22 %}
|
||||
If your organization has an {% data variables.product.prodname_advanced_security %} license, you can enable or disable {% data variables.product.prodname_advanced_security %} features.
|
||||
{% elsif ghae %}
|
||||
You can enable or disable {% data variables.product.prodname_advanced_security %} features.
|
||||
{% endif %}
|
||||
|
||||
1. Click your profile photo, then click **Organizations**.
|
||||
2. Click **Settings** next to your organization.
|
||||
|
||||
@@ -46,36 +46,47 @@ For more information, see "[Adding a security policy to your repository](/code-s
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion fpt or ghes > 2.22 %}
|
||||
{% ifversion fpt or ghes > 2.22 or ghae-issue-4864 %}
|
||||
## Managing the dependency graph
|
||||
|
||||
Once you have [enabled the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#enabling-the-dependency-graph), it is automatically generated for {% ifversion fpt or ghes > 2.22 %} all public repositories, and you can choose to enable it for private repositories.{% else %} all repositories.{% endif %}
|
||||
{% ifversion fpt %}
|
||||
Once you have [enabled the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#enabling-the-dependency-graph), it is automatically generated for all public repositories, and you can choose to enable it for private repositories.
|
||||
|
||||
1. From the main page of your repository, click **{% octicon "gear" aria-label="The Settings gear" %} Settings**.
|
||||
2. Click **Security & analysis**.
|
||||
3. Next to Dependency graph, click **Enable** or **Disable**.
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.dependabot.dependabot-alerts-dependency-graph-enterprise %}
|
||||
|
||||
For more information, see "[Exploring the dependencies of a repository](/code-security/supply-chain-security/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph-for-a-private-repository)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion fpt or ghes > 2.22 %}
|
||||
{% ifversion fpt or ghes > 2.22 or ghae-issue-4864 %}
|
||||
## Managing {% data variables.product.prodname_dependabot_alerts %}
|
||||
|
||||
By default, {% data variables.product.prodname_dotcom %} detects vulnerabilities in public repositories and generates {% data variables.product.prodname_dependabot_alerts %}. {% data variables.product.prodname_dependabot_alerts %} can also be enabled for private repositories.
|
||||
{% ifversion fpt %}By default, {% data variables.product.prodname_dotcom %} detects vulnerabilities in public repositories and generates {% data variables.product.prodname_dependabot_alerts %}. {% data variables.product.prodname_dependabot_alerts %} can also be enabled for private repositories.
|
||||
|
||||
1. Click your profile photo, then click **Settings**.
|
||||
2. Click **Security & analysis**.
|
||||
3. Click **Enable all** next to {% data variables.product.prodname_dependabot_alerts %}.
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.dependabot.dependabot-alerts-beta %}
|
||||
{% data reusables.dependabot.dependabot-alerts-dependency-graph-enterprise %}
|
||||
|
||||
For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies){% ifversion fpt %}" and "[Managing security and analysis settings for your user account](/github/setting-up-and-managing-your-github-user-account/managing-security-and-analysis-settings-for-your-user-account){% endif %}."
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion fpt or ghes > 3.1 %}
|
||||
{% ifversion fpt or ghes > 3.1 or ghae-issue-4864 %}
|
||||
## Managing dependency review
|
||||
|
||||
Dependency review lets you visualize dependency changes in pull requests before they are merged into your repository. Dependency review is available in all public repositories and in repositories owned by organizations with an {% data variables.product.prodname_advanced_security %} license that have the dependency graph enabled. For more information, see "[About dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)."
|
||||
Dependency review lets you visualize dependency changes in pull requests before they are merged into your repositories.
|
||||
{%- ifversion fpt %}Dependency review is available in all public repositories. For private and internal repositories you require a license for {% data variables.product.prodname_advanced_security %}. To enable dependency review for a repository, enable the dependency graph and enable {% data variables.product.prodname_advanced_security %}.
|
||||
{%- elsif ghes or ghae %}Dependency review is available when dependency graph is enabled for {% data variables.product.product_location %} and you enable {% data variables.product.prodname_advanced_security %} for the repository (see below).{% endif %}
|
||||
For more information, see "[About dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
|
||||
@@ -8,6 +8,7 @@ redirect_from:
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '>=3.0'
|
||||
ghae: "issue-4864"
|
||||
topics:
|
||||
- Dependabot
|
||||
- Dependencies
|
||||
|
||||
@@ -9,6 +9,7 @@ redirect_from:
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '>=3.0'
|
||||
ghae: "issue-4864"
|
||||
type: overview
|
||||
topics:
|
||||
- Dependabot
|
||||
@@ -29,11 +30,13 @@ When your code depends on a package that has a security vulnerability, this vuln
|
||||
|
||||
## Detection of vulnerable dependencies
|
||||
|
||||
{% data reusables.dependabot.dependabot-alerts-beta %}
|
||||
|
||||
{% data variables.product.prodname_dependabot %} detects vulnerable dependencies and sends {% data variables.product.prodname_dependabot_alerts %} when:
|
||||
|
||||
{% ifversion fpt %}
|
||||
- A new vulnerability is added to the {% data variables.product.prodname_advisory_database %}. For more information, see "[Browsing security vulnerabilities in the {% data variables.product.prodname_advisory_database %}](/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database)" and "[About {% data variables.product.prodname_security_advisories %}](/code-security/security-advisories/about-github-security-advisories)."{% else %}
|
||||
- New advisory data is synchronized to {% data variables.product.prodname_ghe_server %} each hour from {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.security-advisory.link-browsing-advisory-db %}{% endif %}
|
||||
- New advisory data is synchronized to {% data variables.product.product_location %} each hour from {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.security-advisory.link-browsing-advisory-db %}{% endif %}
|
||||
- The dependency graph for a repository changes. For example, when a contributor pushes a commit to change the packages or versions it depends on{% ifversion fpt %}, or when the code of one of the dependencies changes{% endif %}. For more information, see "[About the dependency graph](/code-security/supply-chain-security/about-the-dependency-graph)."
|
||||
|
||||
{% data reusables.repositories.dependency-review %}
|
||||
@@ -59,7 +62,7 @@ For information about permission requirements for actions related to {% data var
|
||||
{% data variables.product.product_name %} starts generating the dependency graph immediately and generates alerts for any vulnerable dependencies as soon as they are identified. The graph is usually populated within minutes but this may take longer for repositories with many dependencies. For more information, see "[Managing data use settings for your private repository](/github/understanding-how-github-uses-and-protects-your-data/managing-data-use-settings-for-your-private-repository)."
|
||||
{% endif %}
|
||||
|
||||
When {% data variables.product.product_name %} identifies a vulnerable dependency, we generate a {% data variables.product.prodname_dependabot %} alert and display it on the Security tab for the repository. The alert includes a link to the affected file in the project, and information about a fixed version. {% data variables.product.product_name %} also notifies the maintainers of affected repositories about the new alert according to their notification preferences. For more information, see "[Configuring notifications for vulnerable dependencies](/code-security/supply-chain-security/configuring-notifications-for-vulnerable-dependencies)."
|
||||
When {% data variables.product.product_name %} identifies a vulnerable dependency, we generate a {% data variables.product.prodname_dependabot %} alert and display it on the Security tab for the repository. The alert includes a link to the affected file in the project, and information about a fixed version. {% data variables.product.product_name %} may also notify the maintainers of affected repositories about the new alert according to their notification preferences. For more information, see "[Configuring notifications for vulnerable dependencies](/code-security/supply-chain-security/configuring-notifications-for-vulnerable-dependencies)."
|
||||
|
||||
{% ifversion fpt %}
|
||||
For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, the alert may also contain a link to a pull request to update the manifest or lock file to the minimum version that resolves the vulnerability. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
|
||||
|
||||
@@ -1,12 +1,13 @@
|
||||
---
|
||||
title: About managing vulnerable dependencies
|
||||
intro: '{% data variables.product.prodname_dotcom %} helps you to avoid using third-party software that contains known vulnerabilities.'
|
||||
intro: '{% data variables.product.product_name %} helps you to avoid using third-party software that contains known vulnerabilities.'
|
||||
redirect_from:
|
||||
- /github/managing-security-vulnerabilities/about-managing-vulnerable-dependencies
|
||||
- /code-security/supply-chain-security/about-managing-vulnerable-dependencies
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '>=3.2'
|
||||
ghae: "issue-4864"
|
||||
type: overview
|
||||
topics:
|
||||
- Dependabot
|
||||
@@ -20,7 +21,7 @@ shortTitle: Vulnerable dependencies
|
||||
---
|
||||
<!--Marketing-LINK: From /features/security/software-supply-chain page "Managing vulnerabilities in your project’s dependencies ".-->
|
||||
|
||||
{% data variables.product.prodname_dotcom %} provides the following tools for removing and avoiding vulnerable dependencies.
|
||||
{% data variables.product.product_name %} provides the following tools for removing and avoiding vulnerable dependencies.
|
||||
|
||||
## Dependency graph
|
||||
The dependency graph is a summary of the manifest and lock files stored in a repository. It shows you the ecosystems and packages your codebase depends on (its dependencies) and the repositories and packages that depend on your project (its dependents). The information in the dependency graph is used by dependency review and {% data variables.product.prodname_dependabot %}.
|
||||
@@ -33,13 +34,12 @@ For more information, see "[About the dependency graph](/github/visualizing-repo
|
||||
By checking the dependency reviews on pull requests you can avoid introducing vulnerabilities from dependencies into your codebase. If the pull requests adds a vulnerable dependency, or changes a dependency to a vulnerable version, this is highlighted in the dependency review. You can change the dependency to a patched version before merging the pull request. For more information, see "[About dependency review](/code-security/supply-chain-security/about-dependency-review)."
|
||||
|
||||
## {% data variables.product.prodname_dependabot_alerts %}
|
||||
{% data variables.product.prodname_dotcom %} can create {% data variables.product.prodname_dependabot_alerts %} when it detects vulnerable dependencies in your repository. The alert is displayed on the Security tab for the repository. The alert includes a link to the affected file in the project, and information about a fixed version. {% data variables.product.prodname_dotcom %} also notifies the maintainers of the repository, according to their notification preferences. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)."
|
||||
{% data variables.product.product_name %}} can create {% data variables.product.prodname_dependabot_alerts %} when it detects vulnerable dependencies in your repository. The alert is displayed on the Security tab for the repository. The alert includes a link to the affected file in the project, and information about a fixed version. {% data variables.product.product_name %} also notifies the maintainers of the repository, according to their notification preferences. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)."
|
||||
|
||||
{% ifversion fpt %}
|
||||
## {% data variables.product.prodname_dependabot_security_updates %}
|
||||
When {% data variables.product.prodname_dotcom %} generates a {% data variables.product.prodname_dependabot %} alert for a vulnerable dependency in your repository, {% data variables.product.prodname_dependabot %} can automatically try to fix it for you. {% data variables.product.prodname_dependabot_security_updates %} are automatically generated pull requests that update a vulnerable dependency to a fixed version. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
|
||||
When {% data variables.product.product_name %} generates a {% data variables.product.prodname_dependabot %} alert for a vulnerable dependency in your repository, {% data variables.product.prodname_dependabot %} can automatically try to fix it for you. {% data variables.product.prodname_dependabot_security_updates %} are automatically generated pull requests that update a vulnerable dependency to a fixed version. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
|
||||
|
||||
## {% data variables.product.prodname_dependabot_version_updates %}
|
||||
Enabling {% data variables.product.prodname_dependabot_version_updates %} takes the effort out of maintaining your dependencies. With {% data variables.product.prodname_dependabot_version_updates %}, whenever {% data variables.product.prodname_dotcom %} identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. By contrast, {% data variables.product.prodname_dependabot_security_updates %} only raises pull requests to fix vulnerable dependencies. For more information, see "[About Dependabot version updates](/github/administering-a-repository/about-dependabot-version-updates)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
@@ -8,6 +8,7 @@ redirect_from:
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '>=3.0'
|
||||
ghae: "issue-4864"
|
||||
type: how_to
|
||||
topics:
|
||||
- Dependabot
|
||||
@@ -27,10 +28,11 @@ When {% data variables.product.prodname_dependabot %} detects vulnerable depende
|
||||
{% ifversion fpt %}If you're an organization owner, you can enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories in your organization with one click. You can also set whether the detection of vulnerable dependencies will be enabled or disabled for newly-created repositories. For more information, see "[Managing security and analysis settings for your organization](/organizations/keeping-your-organization-secure/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-new-repositories-when-they-are-added)."
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ghes %}
|
||||
By default, if your site administrator has configured email for notifications on your enterprise, you will receive {% data variables.product.prodname_dependabot_alerts %} by email.{% endif %}
|
||||
{% ifversion ghes or ghae-issue-4864 %}
|
||||
By default, if your enterprise owner has configured email for notifications on your enterprise, you will receive {% data variables.product.prodname_dependabot_alerts %} by email.
|
||||
|
||||
{% ifversion ghes %}Site administrators can also enable {% data variables.product.prodname_dependabot_alerts %} without notifications. For more information, see "[Enabling {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server#enabling-dependabot-alerts)."{% endif %}
|
||||
Enterprise owners can also enable {% data variables.product.prodname_dependabot_alerts %} without notifications. For more information, see "[Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} on your enterprise account](/admin/configuration/managing-connections-between-your-enterprise-accounts/enabling-the-dependency-graph-and-dependabot-alerts-on-your-enterprise-account)."
|
||||
{% endif %}
|
||||
|
||||
## Configuring notifications for {% data variables.product.prodname_dependabot_alerts %}
|
||||
|
||||
|
||||
@@ -10,6 +10,7 @@ redirect_from:
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '>=3.0'
|
||||
ghae: "issue-4864"
|
||||
topics:
|
||||
- Repositories
|
||||
- Dependabot
|
||||
|
||||
@@ -8,6 +8,7 @@ redirect_from:
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '>=3.0'
|
||||
ghae: "issue-4864"
|
||||
type: how_to
|
||||
topics:
|
||||
- Dependabot
|
||||
@@ -33,7 +34,7 @@ The results of dependency detection reported by {% data variables.product.produc
|
||||
* {% data variables.product.prodname_dependabot %} scans any push, to the default branch, that contains a manifest file. When a new vulnerability record is added, it scans all existing repositories and generates an alert for each vulnerable repository. {% data variables.product.prodname_dependabot_alerts %} are aggregated at the repository level, rather than creating one alert per vulnerability. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)."
|
||||
* {% ifversion fpt %}{% data variables.product.prodname_dependabot_security_updates %} are triggered when you receive an alert about a vulnerable dependency in your repository. Where possible, {% data variables.product.prodname_dependabot %} creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)" and "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)."
|
||||
|
||||
{% endif %}{% data variables.product.prodname_dependabot %} doesn't scan repositories for vulnerable dependencies on a schedule, but rather when something changes. For example, a scan is triggered when a new dependency is added ({% data variables.product.prodname_dotcom %} checks for this on every push), or when a new vulnerability is added to the advisory database{% ifversion ghes > 2.22 %} and synchronized to {% data variables.product.prodname_ghe_server %}{% endif %}. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies#detection-of-vulnerable-dependencies)."
|
||||
{% endif %}{% data variables.product.prodname_dependabot %} doesn't scan repositories for vulnerable dependencies on a schedule, but rather when something changes. For example, a scan is triggered when a new dependency is added ({% data variables.product.prodname_dotcom %} checks for this on every push), or when a new vulnerability is added to the advisory database{% ifversion ghes > 2.22 or ghae-issue-4864 %} and synchronized to {% data variables.product.product_location %}{% endif %}. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies#detection-of-vulnerable-dependencies)."
|
||||
|
||||
## Why don't I get vulnerability alerts for some ecosystems?
|
||||
|
||||
|
||||
@@ -6,10 +6,11 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository
|
||||
- /code-security/supply-chain-security/viewing-and-updating-vulnerable-dependencies-in-your-repository
|
||||
permissions: Repository administrators and organization owners can view and update dependencies.
|
||||
shortTitle: Fix vulnerable dependencies
|
||||
shortTitle: View vulnerable dependencies
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '>=3.0'
|
||||
ghae: "issue-4864"
|
||||
type: how_to
|
||||
topics:
|
||||
- Dependabot
|
||||
@@ -19,7 +20,7 @@ topics:
|
||||
- Pull requests
|
||||
- Repositories
|
||||
---
|
||||
Your repository's {% data variables.product.prodname_dependabot %} alerts tab lists all open and closed {% data variables.product.prodname_dependabot_alerts %}{% ifversion fpt %} and corresponding {% data variables.product.prodname_dependabot_security_updates %}{% endif %}. You can sort the list of alerts using the drop-down menu, and you can click into specific alerts for more details. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)."
|
||||
Your repository's {% data variables.product.prodname_dependabot %} alerts tab lists all open and closed {% data variables.product.prodname_dependabot_alerts %}{% ifversion fpt %} and corresponding {% data variables.product.prodname_dependabot_security_updates %}{% endif %}. You can sort the list of alerts by selecting the drop-down menu, and you can click into specific alerts for more details. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)."
|
||||
|
||||
{% ifversion fpt %}
|
||||
You can enable automatic security updates for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
|
||||
@@ -43,17 +44,17 @@ You can enable automatic security updates for any repository that uses {% data v
|
||||
1. Optionally, if there isn't already a {% data variables.product.prodname_dependabot_security_updates %} update for the alert, to create a pull request to resolve the vulnerability, click **Create {% data variables.product.prodname_dependabot %} security update**.
|
||||
|
||||
1. When you're ready to update your dependency and resolve the vulnerability, merge the pull request. Each pull request raised by {% data variables.product.prodname_dependabot %} includes information on commands you can use to control {% data variables.product.prodname_dependabot %}. For more information, see "[Managing pull requests for dependency updates](/github/administering-a-repository/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands)."
|
||||
1. Optionally, if the alert is being fixed, if it's incorrect, or located in unused code, use the "Dismiss" drop-down, and click a reason for dismissing the alert.
|
||||
1. Optionally, if the alert is being fixed, if it's incorrect, or located in unused code, select the "Dismiss" drop-down, and click a reason for dismissing the alert.
|
||||
|
||||
|
||||
{% elsif ghes > 3.0 %}
|
||||
{% elsif ghes > 3.0 or ghae-issue-4864 %}
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-security %}
|
||||
{% data reusables.repositories.sidebar-dependabot-alerts %}
|
||||
1. Click the alert you'd like to view.
|
||||
|
||||
1. Review the details of the vulnerability and determine whether or not you need to update the dependency.
|
||||
1. When you merge a pull request that updates the manifest or lock file to a secure version of the dependency, this will resolve the alert. Alternatively, if you decide not to update the dependency, click the **Dismiss** drop-down, and select a reason for dismissing the alert.
|
||||
1. When you merge a pull request that updates the manifest or lock file to a secure version of the dependency, this will resolve the alert. Alternatively, if you decide not to update the dependency, select the **Dismiss** drop-down, and click a reason for dismissing the alert.
|
||||
|
||||
|
||||
{% else %}
|
||||
|
||||
@@ -6,6 +6,7 @@ shortTitle: Dependency review
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '>= 3.2'
|
||||
ghae: "issue-4864"
|
||||
type: overview
|
||||
topics:
|
||||
- Advanced Security
|
||||
@@ -25,10 +26,14 @@ redirect_from:
|
||||
|
||||
If a pull request targets your repository's default branch and contains changes to package manifests or lock files, you can display a dependency review to see what has changed. The dependency review includes details of changes to indirect dependencies in lock files, and it tells you if any of the added or updated dependencies contain known vulnerabilities.
|
||||
|
||||
{% ifversion fpt %}
|
||||
Dependency review is available in:
|
||||
|
||||
* All public repositories.
|
||||
* Private repositories owned by organizations with an {% data variables.product.prodname_advanced_security %} license that have the dependency graph enabled. For more information, see "[Exploring the dependencies of a repository](/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph-for-a-private-repository)."
|
||||
{% elsif ghes or ghae %}
|
||||
Dependency review is available when dependency graph is enabled for {% data variables.product.product_location %} and {% data variables.product.prodname_advanced_security %} is enabled for the organization or repository.
|
||||
{% endif %}
|
||||
|
||||
Sometimes you might just want to update the version of one dependency in a manifest and generate a pull request. However, if the updated version of this direct dependency also has updated dependencies, your pull request may have more changes than you expected. The dependency review for each manifest and lock file provides an easy way to see what has changed, and whether any of the new dependency versions contain known vulnerabilities.
|
||||
|
||||
@@ -40,4 +45,4 @@ Dependency review supports the same languages and package management ecosystems
|
||||
|
||||
## Enabling dependency review
|
||||
|
||||
The dependency review feature becomes available when you enable the dependency graph. {% ifversion fpt %}For more information, see "[Enabling the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#enabling-the-dependency-graph)."{% endif %}{% ifversion ghes > 3.1 %}For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/admin/configuration/managing-connections-between-github-enterprise-server-and-github-enterprise-cloud/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %}
|
||||
The dependency review feature becomes available when you enable the dependency graph. {% ifversion fpt %}For more information, see "[Enabling the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#enabling-the-dependency-graph)."{% endif %}{% ifversion ghes or ghae %}For more information, see "[Enabling the dependency graph and Dependabot alerts on your enterprise account](/admin/configuration/managing-connections-between-your-enterprise-accounts/enabling-the-dependency-graph-and-dependabot-alerts-on-your-enterprise-account)."{% endif %}
|
||||
|
||||
@@ -7,6 +7,7 @@ redirect_from:
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '>=3.0'
|
||||
ghae: "issue-4864"
|
||||
type: overview
|
||||
topics:
|
||||
- Dependency graph
|
||||
@@ -19,18 +20,20 @@ shortTitle: Dependency graph
|
||||
|
||||
## Dependency graph availability
|
||||
|
||||
The dependency graph is available for every{% ifversion fpt %} public{% endif %} repository that defines dependencies in a supported package ecosystem using a supported file format.{% ifversion fpt %} Repository administrators can also set up the dependency graph for private repositories.{% endif %}
|
||||
{% ifversion fpt %}The dependency graph is available for every public repository that defines dependencies in a supported package ecosystem using a supported file format. Repository administrators can also set up the dependency graph for private repositories.{% endif %}
|
||||
|
||||
{% data reusables.dependabot.dependabot-alerts-dependency-graph-enterprise %}
|
||||
|
||||
## About the dependency graph
|
||||
|
||||
The dependency graph is a summary of the manifest and lock files stored in a repository. For each repository, it shows{% ifversion fpt %}:
|
||||
|
||||
- Dependencies, the ecosystems and packages it depends on
|
||||
- Dependents, the repositories and packages that depend on it{% else %} dependencies, that is, the ecosystems and packages it depends on. {% data variables.product.prodname_ghe_server %} does not calculate information about dependents, the repositories and packages that depend on a repository.{% endif %}
|
||||
- Dependents, the repositories and packages that depend on it{% else %} dependencies, that is, the ecosystems and packages it depends on. {% data variables.product.product_name %} does not calculate information about dependents, the repositories and packages that depend on a repository.{% endif %}
|
||||
|
||||
When you push a commit to {% data variables.product.product_name %} that changes or adds a supported manifest or lock file to the default branch, the dependency graph is automatically updated.{% ifversion fpt %} In addition, the graph is updated when anyone pushes a change to the repository of one of your dependencies.{% endif %} For information on the supported ecosystems and manifest files, see "[Supported package ecosystems](#supported-package-ecosystems)" below.
|
||||
|
||||
{% ifversion fpt or ghes > 3.1 %}
|
||||
{% ifversion fpt or ghes > 3.1 or ghae %}
|
||||
When you create a pull request containing changes to dependencies that targets the default branch, {% data variables.product.prodname_dotcom %} uses the dependency graph to add dependency reviews to the pull request. These indicate whether the dependencies contain vulnerabilities and, if so, the version of the dependency in which the vulnerability was fixed. For more information, see "[About dependency review](/code-security/supply-chain-security/about-dependency-review)."
|
||||
{% endif %}
|
||||
|
||||
@@ -61,7 +64,7 @@ You can use the dependency graph to:
|
||||
|
||||
{% ifversion fpt %}To generate a dependency graph, {% data variables.product.product_name %} needs read-only access to the dependency manifest and lock files for a repository. The dependency graph is automatically generated for all public repositories and you can choose to enable it for private repositories. For information about enabling or disabling it for private repositories, see "[Exploring the dependencies of a repository](/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository)."{% endif %}
|
||||
|
||||
{% ifversion ghes %}If the dependency graph is not available in your system, your site administrator can enable the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %}
|
||||
{% ifversion ghes or ghae %}If the dependency graph is not available in your system, your enterprise owner can enable the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} on your enterprise account](/admin/configuration/managing-connections-between-your-enterprise-accounts/enabling-the-dependency-graph-and-dependabot-alerts-on-your-enterprise-account)."{% endif %}
|
||||
|
||||
When the dependency graph is first enabled, any manifest and lock files for supported ecosystems are parsed immediately. The graph is usually populated within minutes but this may take longer for repositories with many dependencies. Once enabled, the graph is automatically updated with every push to the repository{% ifversion fpt %} and every push to other repositories in the graph{% endif %}.
|
||||
|
||||
@@ -73,7 +76,7 @@ The recommended formats explicitly define which versions are used for all direct
|
||||
| --- | --- | --- | ---|
|
||||
| Composer | PHP | `composer.lock` | `composer.json`, `composer.lock` |
|
||||
| `dotnet` CLI | .NET languages (C#, C++, F#, VB) | `.csproj`, `.vbproj`, `.nuspec`, `.vcxproj`, `.fsproj` | `.csproj`, `.vbproj`, `.nuspec`, `.vcxproj`, `.fsproj`, `packages.config` |
|
||||
{%- ifversion fpt or ghes > 3.2 %}
|
||||
{%- ifversion fpt or ghes > 3.2 or ghae %}
|
||||
| Go modules | Go | `go.sum` | `go.mod`, `go.sum` |
|
||||
{%- elsif ghes = 3.2 %}
|
||||
| Go modules | Go | `go.mod` | `go.mod` |
|
||||
|
||||
@@ -12,6 +12,7 @@ redirect_from:
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '>=3.0'
|
||||
ghae: "issue-4864"
|
||||
type: how_to
|
||||
topics:
|
||||
- Dependency graph
|
||||
@@ -23,8 +24,6 @@ shortTitle: Explore dependencies
|
||||
|
||||
## Viewing the dependency graph
|
||||
|
||||
{% data reusables.repositories.enable-security-alerts %}
|
||||
|
||||
The dependency graph shows the dependencies{% ifversion fpt %} and dependents{% endif %} of your repository. For information about the detection of dependencies and which ecosystems are supported, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)."
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
@@ -33,6 +32,10 @@ The dependency graph shows the dependencies{% ifversion fpt %} and dependents{%
|
||||
4. Optionally, under "Dependency graph", click **Dependents**.
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ghes or ghae-issue-4864 %}
|
||||
Enterprise owners can configure the dependency graph at an enterprise level. For more information, see "[Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} on your enterprise account](/admin/configuration/managing-connections-between-your-enterprise-accounts/enabling-the-dependency-graph-and-dependabot-alerts-on-your-enterprise-account)."
|
||||
{% endif %}
|
||||
|
||||
### Dependencies view
|
||||
|
||||
{% ifversion fpt %}
|
||||
@@ -44,14 +47,14 @@ If vulnerabilities have been detected in the repository, these are shown at the
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ghes %}
|
||||
{% ifversion ghes or ghae %}
|
||||
Any direct and indirect dependencies that are specified in the repository's manifest or lock files are listed, grouped by ecosystem. If vulnerabilities have been detected in the repository, these are shown at the top of the view for users with access to {% data variables.product.prodname_dependabot_alerts %}.
|
||||
|
||||
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** {% data variables.product.prodname_ghe_server %} does not populate the **Dependents** view.
|
||||
**Note:** {% data variables.product.product_name %} does not populate the **Dependents** view.
|
||||
|
||||
{% endnote %}
|
||||
|
||||
|
||||
@@ -3,6 +3,7 @@ title: Understanding your software supply chain
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '>=3.0'
|
||||
ghae: "issue-4864"
|
||||
topics:
|
||||
- Dependency graph
|
||||
- Dependencies
|
||||
|
||||
@@ -97,7 +97,7 @@ Permission | Description
|
||||
[`single_file`](/rest/reference/permissions-required-for-github-apps/#permission-on-single-file) | Grants access to the [Contents API](/rest/reference/repos#contents). Can be one of: `none`, `read`, or `write`.
|
||||
[`starring`](/rest/reference/permissions-required-for-github-apps/#permission-on-starring) | Grants access to the [Starring API](/rest/reference/activity#starring). Can be one of: `none`, `read`, or `write`.
|
||||
[`statuses`](/rest/reference/permissions-required-for-github-apps/#permission-on-statuses) | Grants access to the [Statuses API](/rest/reference/repos#statuses). Can be one of: `none`, `read`, or `write`.
|
||||
[`team_discussions`](/rest/reference/permissions-required-for-github-apps/#permission-on-team-discussions) | Grants access to the [Team Discussions API](/rest/reference/teams#discussions) and the [Team Discussion Comments API](/rest/reference/teams#discussion-comments). Can be one of: `none`, `read`, or `write`.{% ifversion fpt or ghes %}
|
||||
[`team_discussions`](/rest/reference/permissions-required-for-github-apps/#permission-on-team-discussions) | Grants access to the [Team Discussions API](/rest/reference/teams#discussions) and the [Team Discussion Comments API](/rest/reference/teams#discussion-comments). Can be one of: `none`, `read`, or `write`.{% ifversion fpt or ghes or ghae-issue-4864 %}
|
||||
`vulnerability_alerts`| Grants access to receive security alerts for vulnerable dependencies in a repository. See "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies/)" to learn more. Can be one of: `none` or `read`.{% endif %}
|
||||
`watching` | Grants access to list and change repositories a user is subscribed to. Can be one of: `none`, `read`, or `write`.
|
||||
|
||||
|
||||
@@ -5,6 +5,7 @@ product: '{% data reusables.gated-features.dependency-review %}'
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '>= 3.2'
|
||||
ghae: "issue-4864"
|
||||
type: how_to
|
||||
topics:
|
||||
- Pull requests
|
||||
|
||||
@@ -18,7 +18,7 @@ redirect_from:
|
||||
{% ifversion ghes %}
|
||||
By default, if your site administrator has configured email for notifications on your enterprise, you will receive {% ifversion ghes %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %} by email.{% endif %}
|
||||
|
||||
{% ifversion ghes %}Site administrators can also enable {% data variables.product.prodname_dependabot_alerts %} without notifications. For more information, see "[Enabling {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %}
|
||||
{% ifversion ghes %}Site administrators can also enable {% data variables.product.prodname_dependabot_alerts %} without notifications. For more information, see "[Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} on your enterprise account](/admin/configuration/managing-connections-between-your-enterprise-accounts/enabling-the-dependency-graph-and-dependabot-alerts-on-your-enterprise-account)."{% endif %}
|
||||
|
||||
## Configuring notifications for {% ifversion ghes %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %}
|
||||
|
||||
|
||||
@@ -34,7 +34,7 @@ The page that's displayed allows you to enable or disable all security and analy
|
||||
|
||||
{% ifversion ghes > 3.0 %}If you have a license for {% data variables.product.prodname_GH_advanced_security %}, the page will also contain options to enable and disable {% data variables.product.prodname_advanced_security %} features. Any repositories that use {% data variables.product.prodname_GH_advanced_security %} are listed at the bottom of the page.{% endif %}
|
||||
|
||||
{% ifversion ghae %}The page will also contain options to enable and disable {% data variables.product.prodname_advanced_security %} features.{% endif %}
|
||||
{% ifversion ghae %}The page will also contain options to enable and disable {% data variables.product.prodname_advanced_security %} features. Any repositories that use {% data variables.product.prodname_GH_advanced_security %} are listed at the bottom of the page.{% endif %}
|
||||
|
||||
## Enabling or disabling a feature for all existing repositories
|
||||
|
||||
@@ -91,10 +91,10 @@ You can enable or disable features for all repositories. {% ifversion fpt %}The
|
||||
|
||||
1. Go to the security and analysis settings for your organization. For more information, see "[Displaying the security and analysis settings](#displaying-the-security-and-analysis-settings)."
|
||||
2. Under "Configure security and analysis features", to the right of the feature, enable or disable the feature by default for new repositories{% ifversion fpt %}, or all new private repositories,{% endif %} in your organization.
|
||||
{% ifversion fpt or ghes > 3.1 %}
|
||||
{% ifversion fpt %}
|
||||
|
||||
{% endif %}
|
||||
{% ifversion ghes = 3.1 %}
|
||||
{% ifversion ghes > 3.0 %}
|
||||
|
||||
{% endif %}
|
||||
{% ifversion ghes = 3.0 %}
|
||||
|
||||
@@ -66,9 +66,9 @@ To search for specific events, use the `action` qualifier in your query. Actions
|
||||
| [`protected_branch`](#protected_branch-category-actions) | Contains all activities related to protected branches.
|
||||
| [`repo`](#repo-category-actions) | Contains activities related to the repositories owned by your organization.{% ifversion fpt %}
|
||||
| [`repository_advisory`](#repository_advisory-category-actions) | Contains repository-level activities related to security advisories in the {% data variables.product.prodname_advisory_database %}. For more information, see "[About {% data variables.product.prodname_dotcom %} Security Advisories](/github/managing-security-vulnerabilities/about-github-security-advisories)."
|
||||
| [`repository_content_analysis`](#repository_content_analysis-category-actions) | Contains all activities related to [enabling or disabling data use for a private repository](/articles/about-github-s-use-of-your-data).{% endif %}{% ifversion not ghae %}
|
||||
| [`repository_content_analysis`](#repository_content_analysis-category-actions) | Contains all activities related to [enabling or disabling data use for a private repository](/articles/about-github-s-use-of-your-data).{% endif %}{% ifversion fpt %}
|
||||
| [`repository_dependency_graph`](#repository_dependency_graph-category-actions) | Contains repository-level activities related to enabling or disabling the dependency graph for a {% ifversion fpt %}private {% endif %}repository. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)."{% endif %}{% ifversion fpt or ghes > 2.22 or ghae %}
|
||||
| [`repository_secret_scanning`](#repository_secret_scanning-category-actions) | Contains repository-level activities related to secret scanning. For more information, see "[About secret scanning](/github/administering-a-repository/about-secret-scanning)." {% endif %}{% ifversion not ghae %}
|
||||
| [`repository_secret_scanning`](#repository_secret_scanning-category-actions) | Contains repository-level activities related to secret scanning. For more information, see "[About secret scanning](/github/administering-a-repository/about-secret-scanning)." {% endif %}{% ifversion fpt or ghes or ghae-issue-4864 %}
|
||||
| [`repository_vulnerability_alert`](#repository_vulnerability_alert-category-actions) | Contains all activities related to [{% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies).{% endif %}{% ifversion fpt %}
|
||||
| [`repository_vulnerability_alerts`](#repository_vulnerability_alerts-category-actions) | Contains repository-level configuration activities for {% data variables.product.prodname_dependabot %} alerts. {% endif %}{% ifversion fpt or ghes > 2.22 or ghae %}
|
||||
| [`secret_scanning`](#secret_scanning-category-actions) | Contains organization-level configuration activities for secret scanning in existing repositories. For more information, see "[About secret scanning](/github/administering-a-repository/about-secret-scanning)."
|
||||
@@ -636,7 +636,7 @@ For more information, see "[Managing the publication of {% data variables.produc
|
||||
| `enable` | Triggered when an organization owner or person with admin access to the repository [enables data use settings for a private repository](/github/understanding-how-github-uses-and-protects-your-data/managing-data-use-settings-for-your-private-repository).
|
||||
| `disable` | Triggered when an organization owner or person with admin access to the repository [disables data use settings for a private repository](/github/understanding-how-github-uses-and-protects-your-data/managing-data-use-settings-for-your-private-repository).
|
||||
|
||||
{% endif %}{% ifversion not ghae %}
|
||||
{% endif %}{% ifversion fpt %}
|
||||
|
||||
### `repository_dependency_graph` category actions
|
||||
|
||||
@@ -653,7 +653,7 @@ For more information, see "[Managing the publication of {% data variables.produc
|
||||
| `disable` | Triggered when a repository owner or person with admin access to the repository disables secret scanning for a {% ifversion fpt %}private {% endif %}repository. For more information, see "[About secret scanning](/github/administering-a-repository/about-secret-scanning)."
|
||||
| `enable` | Triggered when a repository owner or person with admin access to the repository enables secret scanning for a {% ifversion fpt %}private {% endif %}repository.
|
||||
|
||||
{% endif %}{% ifversion not ghae %}
|
||||
{% endif %}{% ifversion fpt or ghes or ghae-issue-4864 %}
|
||||
### `repository_vulnerability_alert` category actions
|
||||
|
||||
| Action | Description
|
||||
|
||||
@@ -141,20 +141,20 @@ Some of the features listed below are limited to organizations using {% data var
|
||||
In this section, you can find the repository permission levels required for security features, such as {% data variables.product.prodname_advanced_security %} features.
|
||||
|
||||
| Repository action | Read | Triage | Write | Maintain | Admin |
|
||||
|:---|:---:|:---:|:---:|:---:|:---:| {% ifversion fpt or ghes > 2.22 %}
|
||||
|:---|:---:|:---:|:---:|:---:|:---:| {% ifversion fpt or ghes > 2.22 or ghae-issue-4864 %}
|
||||
| Receive [{% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies) in a repository | | | | | **X** |
|
||||
| [Dismiss {% data variables.product.prodname_dependabot_alerts %}](/code-security/supply-chain-security/viewing-and-updating-vulnerable-dependencies-in-your-repository) | | | | | **X** |
|
||||
| [Designate additional people or teams to receive {% data variables.product.prodname_dependabot_alerts %}](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts) for vulnerable dependencies | | | | | **X** |{% endif %}{% ifversion fpt %}
|
||||
| [Designate additional people or teams to receive security alerts](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts) | | | | | **X** |{% endif %}{% ifversion fpt %}
|
||||
| Create [security advisories](/code-security/security-advisories/about-github-security-advisories) | | | | | **X** |{% endif %}{% ifversion fpt or ghes > 2.22 or ghae %}
|
||||
| Manage access to {% data variables.product.prodname_GH_advanced_security %} features (see "[Managing security and analysis settings for your organization](/organizations/keeping-your-organization-secure/managing-security-and-analysis-settings-for-your-organization)") | | | | | **X** |{% endif %}{% ifversion fpt %}<!--Set at site-level for GHES-->
|
||||
| [Enable the dependency graph](/code-security/supply-chain-security/exploring-the-dependencies-of-a-repository) for a private repository | | | | | **X** |{% endif %}{% ifversion fpt or ghes > 3.1 %}
|
||||
| Manage access to {% data variables.product.prodname_GH_advanced_security %} features (see "[Managing security and analysis settings for your organization](/organizations/keeping-your-organization-secure/managing-security-and-analysis-settings-for-your-organization)") | | | | | **X** |{% endif %}{% ifversion fpt %}<!--Set at site-level for GHES and GHAE-->
|
||||
| [Enable the dependency graph](/code-security/supply-chain-security/exploring-the-dependencies-of-a-repository) for a private repository | | | | | **X** |{% endif %}{% ifversion fpt or ghes > 3.1 or ghae-issue-4864 %}
|
||||
| [View dependency reviews](/code-security/supply-chain-security/about-dependency-review) | **X** | **X** | **X** | **X** | **X** |{% endif %}
|
||||
| [View {% data variables.product.prodname_code_scanning %} alerts on pull requests](/github/finding-security-vulnerabilities-and-errors-in-your-code/triaging-code-scanning-alerts-in-pull-requests) | **X** | **X** | **X** | **X** | **X** |
|
||||
| [List, dismiss, and delete {% data variables.product.prodname_code_scanning %} alerts](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository) | | | **X** | **X** | **X** |{% ifversion fpt or ghes > 3.0 or ghae-next %}
|
||||
| [View {% data variables.product.prodname_secret_scanning %} alerts in a repository](/github/administering-a-repository/managing-alerts-from-secret-scanning) | | | **X**<sup>[1]</sup> | **X**<sup>[1]</sup> | **X** |
|
||||
| [Resolve, revoke, or re-open {% data variables.product.prodname_secret_scanning %} alerts](/github/administering-a-repository/managing-alerts-from-secret-scanning) | | | **X**<sup>[1]</sup> | **X**<sup>[1]</sup> | **X** |{% endif %}{% ifversion ghes = 3.0 %}
|
||||
| [List, dismiss, and delete {% data variables.product.prodname_code_scanning %} alerts](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository) | | | **X** | **X** | **X** |{% ifversion fpt or ghes > 3.0 or ghae %}
|
||||
| [View {% data variables.product.prodname_secret_scanning %} alerts in a repository](/github/administering-a-repository/managing-alerts-from-secret-scanning) | | | **X**{% ifversion not ghae %}<sup>[1]</sup>{% endif %} | **X**{% ifversion not ghae %}<sup>[1]</sup>{% endif %} | **X** |
|
||||
| [Resolve, revoke, or re-open {% data variables.product.prodname_secret_scanning %} alerts](/github/administering-a-repository/managing-alerts-from-secret-scanning) | | | **X**{% ifversion not ghae %}<sup>[1]</sup>{% endif %} | **X**{% ifversion not ghae %}<sup>[1]</sup>{% endif %} | **X** |{% endif %}{% ifversion ghes = 3.0 %}
|
||||
| [View {% data variables.product.prodname_secret_scanning %} alerts in a repository](/github/administering-a-repository/managing-alerts-from-secret-scanning) | | | | | **X** |
|
||||
| [Resolve, revoke, or re-open {% data variables.product.prodname_secret_scanning %} alerts](/github/administering-a-repository/managing-alerts-from-secret-scanning) | | | | | **X** |{% endif %}{% ifversion fpt or ghes > 2.22 %}
|
||||
| [Resolve, revoke, or re-open {% data variables.product.prodname_secret_scanning %} alerts](/github/administering-a-repository/managing-alerts-from-secret-scanning) | | | | | **X** |{% endif %}{% ifversion fpt or ghes > 2.22 or ghae-issue-4864 %}
|
||||
| [Designate additional people or teams to receive {% data variables.product.prodname_secret_scanning %} alerts](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts) in repositories | | | | | **X** |{% endif %}
|
||||
|
||||
{% ifversion fpt or ghes > 3.0 or ghae-next %}
|
||||
|
||||
@@ -42,7 +42,7 @@ You can use the dependency graph to:
|
||||
|
||||
## Enabling the dependency graph
|
||||
|
||||
{% ifversion ghes %}If the dependency graph is not available in your system, your site administrator can enable the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %}
|
||||
{% ifversion ghes %}If the dependency graph is not available in your system, your site administrator can enable the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} on your enterprise account](/admin/configuration/managing-connections-between-your-enterprise-accounts/enabling-the-dependency-graph-and-dependabot-alerts-on-your-enterprise-account)."{% endif %}
|
||||
|
||||
|
||||
When the dependency graph is first enabled, any manifest and lock files for supported ecosystems are parsed immediately. The graph is usually populated within minutes but this may take longer for repositories with many dependencies. Once enabled, the graph is automatically updated with every push to the repository.
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
---
|
||||
title: Understanding connections between repositories
|
||||
intro: "You can better understand the connections that exist between repositories by viewing a repository's network and forks and the projects that depend on the repository."
|
||||
product: '{% data reusables.gated-features.repository-insights %}'
|
||||
redirect_from:
|
||||
- /articles/viewing-a-repository-s-network
|
||||
- /articles/viewing-a-repositorys-network
|
||||
@@ -24,8 +25,7 @@ shortTitle: Connections between repositories
|
||||
|
||||
## Viewing a repository's network
|
||||
|
||||
'The network graph displays the branch history of the entire repository network, including branches of the root repository and branches of forks that contain commits unique to the network.'
|
||||
product: '{% data reusables.gated-features.repository-insights %}'
|
||||
The network graph displays the branch history of the entire repository network, including branches of the root repository and branches of forks that contain commits unique to the network.
|
||||
|
||||
|
||||
|
||||
@@ -65,7 +65,7 @@ Forks are listed alphabetically by the username of the person who forked the rep
|
||||
3. In the left sidebar, click **Forks**.
|
||||
|
||||
|
||||
{% ifversion fpt or ghes > 2.22 %}
|
||||
{% ifversion fpt or ghes > 2.22 or ghae-issue-4864 %}
|
||||
## Viewing the dependencies of a repository
|
||||
|
||||
You can use the dependency graph to explore the code your repository depends on.
|
||||
|
||||
@@ -4,7 +4,7 @@ Welcome to the content style guide for [GitHub Docs](https://docs.github.com/).
|
||||
|
||||
These guidelines are specific to GitHub’s documentation. For general style questions or guidance on topics not covered here, see the [GitHub Brand Guide](https://brand.github.com/content/) first, then the [Microsoft Style Guide](https://docs.microsoft.com/style-guide/welcome/). For markup specific to source content on docs.github.com, see our [markup reference guide](content-markup-reference.md).
|
||||
|
||||
Use table of contents icon <img src="../assets/images/table-of-contents.png" width="25" height="25" /> on the top left corner of the this document to get to a specific section of this guide quickly.
|
||||
Use table of contents icon <img src="../assets/images/table-of-contents.png" width="25" height="25" /> on the top left corner of this document to get to a specific section of this guide quickly.
|
||||
|
||||
## The GitHub Docs approach to style
|
||||
|
||||
|
||||
25
data/release-notes/enterprise-server/3-0/17.yml
Normal file
25
data/release-notes/enterprise-server/3-0/17.yml
Normal file
@@ -0,0 +1,25 @@
|
||||
date: '2021-10-12'
|
||||
sections:
|
||||
security_fixes:
|
||||
- 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/27034, https://github.com/github/enterprise2/pull/27010 {% endcomment %}'
|
||||
bugs:
|
||||
- 'Custom pre-receive hooks could have failed due to too restrictive virtual memory or CPU time limits. {% comment %} https://github.com/github/enterprise2/pull/26971, https://github.com/github/enterprise2/pull/26955 {% endcomment %}'
|
||||
- 'Attempting to wipe all existing configuration settings with `ghe-cleanup-settings` failed to restart the Management Console service. {% comment %} https://github.com/github/enterprise2/pull/26986, https://github.com/github/enterprise2/pull/26901 {% endcomment %}'
|
||||
- 'During replication teardown via `ghe-repl-teardown` Memcached failed to be restarted. {% comment %} https://github.com/github/enterprise2/pull/26992, https://github.com/github/enterprise2/pull/26983 {% endcomment %}'
|
||||
- 'During periods of high load, users would receive HTTP 503 status codes when upstream services failed internal healthchecks. {% comment %} https://github.com/github/enterprise2/pull/27081, https://github.com/github/enterprise2/pull/26999 {% endcomment %}'
|
||||
- 'Pre-receive hook environments were forbidden from calling the cat command via BusyBox on Alpine. {% comment %} https://github.com/github/enterprise2/pull/27114, https://github.com/github/enterprise2/pull/27094 {% endcomment %}'
|
||||
- 'The external database password was logged in plaintext. {% comment %} https://github.com/github/enterprise2/pull/27172, https://github.com/github/enterprise2/pull/26413 {% endcomment %}'
|
||||
- 'An erroneous `jq` error message may have been displayed when running `ghe-config-apply`. {% comment %} https://github.com/github/enterprise2/pull/27203, https://github.com/github/enterprise2/pull/26784 {% endcomment %}'
|
||||
- 'Failing over from a primary Cluster datacenter to a secondary Cluster datacenter succeeds, but then failing back over to the original primary Cluster datacenter failed to promote Elasticsearch indicies. {% comment %} https://github.com/github/github/pull/193180, https://github.com/github/github/pull/192447 {% endcomment %}'
|
||||
- 'The Site Admin page for repository self-hosted runners returned an HTTP 500. {% comment %} https://github.com/github/github/pull/194205 {% endcomment %}'
|
||||
- 'In some cases, GitHub Enterprise Administrators attempting to view the `Dormant users` page received `502 Bad Gateway` or `504 Gateway Timeout` response. {% comment %} https://github.com/github/github/pull/194259, https://github.com/github/github/pull/193609 {% endcomment %}'
|
||||
changes:
|
||||
- 'More effectively delete Webhook logs that fall out of the Webhook log retention window. {% comment %} https://github.com/github/enterprise2/pull/27157 {% endcomment %}'
|
||||
known_issues:
|
||||
- On a freshly set up {% data variables.product.prodname_ghe_server %} without any users, an attacker could create the first admin user.
|
||||
- Custom firewall rules are removed during the upgrade process.
|
||||
- Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
|
||||
- Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
|
||||
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
|
||||
- When a replica node is offline in a high availability configuration, {% data variables.product.product_name %} may still route {% data variables.product.prodname_pages %} requests to the offline node, reducing the availability of {% data variables.product.prodname_pages %} for users.
|
||||
- Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
|
||||
28
data/release-notes/enterprise-server/3-1/9.yml
Normal file
28
data/release-notes/enterprise-server/3-1/9.yml
Normal file
@@ -0,0 +1,28 @@
|
||||
date: '2021-10-12'
|
||||
sections:
|
||||
security_fixes:
|
||||
- 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/27035, https://github.com/github/enterprise2/pull/27010 {% endcomment %}'
|
||||
bugs:
|
||||
- 'Custom pre-receive hooks could have failed due to too restrictive virtual memory or CPU time limits. {% comment %} https://github.com/github/enterprise2/pull/26972, https://github.com/github/enterprise2/pull/26955 {% endcomment %}'
|
||||
- 'Attempting to wipe all existing configuration settings with `ghe-cleanup-settings` failed to restart the Management Console service. {% comment %} https://github.com/github/enterprise2/pull/26987, https://github.com/github/enterprise2/pull/26901 {% endcomment %}'
|
||||
- 'During replication teardown via `ghe-repl-teardown` Memcached failed to be restarted. {% comment %} https://github.com/github/enterprise2/pull/26993, https://github.com/github/enterprise2/pull/26983 {% endcomment %}'
|
||||
- 'During periods of high load, users would receive HTTP 503 status codes when upstream services failed internal healthchecks. {% comment %} https://github.com/github/enterprise2/pull/27082, https://github.com/github/enterprise2/pull/26999 {% endcomment %}'
|
||||
- 'With Actions configured, MSSQL replication would fail after restoring from a GitHub Enterprise Backup Utilities snapshot. {% comment %} https://github.com/github/enterprise2/pull/27097, https://github.com/github/enterprise2/pull/26254 {% endcomment %}'
|
||||
- 'An erroneous `jq` error message may have been displayed when running `ghe-config-apply`. {% comment %} https://github.com/github/enterprise2/pull/27194, https://github.com/github/enterprise2/pull/26784 {% endcomment %}'
|
||||
- 'Pre-receive hook environments were forbidden from calling the cat command via BusyBox on Alpine. {% comment %} https://github.com/github/enterprise2/pull/27115, https://github.com/github/enterprise2/pull/27094 {% endcomment %}'
|
||||
- 'The external database password was logged in plaintext. {% comment %} https://github.com/github/enterprise2/pull/27173, https://github.com/github/enterprise2/pull/26413 {% endcomment %}'
|
||||
- 'Failing over from a primary Cluster datacenter to a secondary Cluster datacenter succeeds, but then failing back over to the original primary Cluster datacenter failed to promote Elasticsearch indicies. {% comment %} https://github.com/github/github/pull/193181, https://github.com/github/github/pull/192447 {% endcomment %}'
|
||||
- 'The "Import teams" button on the Teams page for an Organization returned an HTTP 404. {% comment %} https://github.com/github/github/pull/193302 {% endcomment %}'
|
||||
- 'In some cases, GitHub Enterprise Administrators attempting to view the `Dormant users` page received `502 Bad Gateway` or `504 Gateway Timeout` response. {% comment %} https://github.com/github/github/pull/194260, https://github.com/github/github/pull/193609 {% endcomment %}'
|
||||
- 'Performance was negatively impacted in certain high load situations as a result of the increased number of `SynchronizePullRequestJob` jobs. {% comment %} https://github.com/github/github/pull/195253, https://github.com/github/github/pull/194591 {% endcomment %}'
|
||||
changes:
|
||||
- 'More effectively delete Webhook logs that fall out of the Webhook log retention window. {% comment %} https://github.com/github/enterprise2/pull/27158 {% endcomment %}'
|
||||
known_issues:
|
||||
- The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
|
||||
- On a freshly set up {% data variables.product.prodname_ghe_server %} without any users, an attacker could create the first admin user.
|
||||
- Custom firewall rules are removed during the upgrade process.
|
||||
- Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
|
||||
- Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
|
||||
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
|
||||
- If {% data variables.product.prodname_actions %} is enabled for {% data variables.product.prodname_ghe_server %}, teardown of a replica node with `ghe-repl-teardown` will succeed, but may return `ERROR:Running migrations`.
|
||||
- Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
|
||||
27
data/release-notes/enterprise-server/3-2/1.yml
Normal file
27
data/release-notes/enterprise-server/3-2/1.yml
Normal file
@@ -0,0 +1,27 @@
|
||||
date: '2021-10-12'
|
||||
sections:
|
||||
security_fixes:
|
||||
- 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/27118, https://github.com/github/enterprise2/pull/27110 {% endcomment %}'
|
||||
bugs:
|
||||
- 'Custom pre-receive hooks could have failed due to too restrictive virtual memory or CPU time limits. {% comment %} https://github.com/github/enterprise2/pull/26973, https://github.com/github/enterprise2/pull/26955 {% endcomment %}'
|
||||
- 'In a GitHub Enterprise Server clustering configuration, Dependency Graph settings could have been incorrectly applied. {% comment %} https://github.com/github/enterprise2/pull/26981, https://github.com/github/enterprise2/pull/26861 {% endcomment %}'
|
||||
- 'Attempting to wipe all existing configuration settings with `ghe-cleanup-settings` failed to restart the Management Console service. {% comment %} https://github.com/github/enterprise2/pull/26988, https://github.com/github/enterprise2/pull/26901 {% endcomment %}'
|
||||
- 'During replication teardown via `ghe-repl-teardown` Memcached failed to be restarted. {% comment %} https://github.com/github/enterprise2/pull/26994, https://github.com/github/enterprise2/pull/26983 {% endcomment %}'
|
||||
- 'During periods of high load, users would receive HTTP 503 status codes when upstream services failed internal healthchecks. {% comment %} https://github.com/github/enterprise2/pull/27083, https://github.com/github/enterprise2/pull/26999 {% endcomment %}'
|
||||
- 'Pre-receive hook environments were forbidden from calling the cat command via BusyBox on Alpine. {% comment %} https://github.com/github/enterprise2/pull/27116, https://github.com/github/enterprise2/pull/27094 {% endcomment %}'
|
||||
- 'Failing over from a primary Cluster datacenter to a secondary Cluster datacenter succeeds, but then failing back over to the original primary Cluster datacenter failed to promote Elasticsearch indicies. {% comment %} https://github.com/github/github/pull/193182, https://github.com/github/github/pull/192447 {% endcomment %}'
|
||||
- 'The "Import teams" button on the Teams page for an Organization returned an HTTP 404. {% comment %} https://github.com/github/github/pull/193303 {% endcomment %}'
|
||||
- 'Using the API to disable Secret Scanning correctly disabled the property but incorrectly returned an HTTP 422 and an error message. {% comment %} https://github.com/github/github/pull/193455, https://github.com/github/github/pull/192907 {% endcomment %}'
|
||||
- 'In some cases, GitHub Enterprise Administrators attempting to view the `Dormant users` page received `502 Bad Gateway` or `504 Gateway Timeout` response. {% comment %} https://github.com/github/github/pull/194262, https://github.com/github/github/pull/193609 {% endcomment %}'
|
||||
- 'Performance was negatively impacted in certain high load situations as a result of the increased number of `SynchronizePullRequestJob` jobs. {% comment %} https://github.com/github/github/pull/195256, https://github.com/github/github/pull/194591 {% endcomment %}'
|
||||
- 'A user defined pattern created for Secret Scanning would continue getting scanned even after it was deleted. {% comment %} https://github.com/github/token-scanning-service/pull/1039, https://github.com/github/token-scanning-service/pull/822 {% endcomment %}'
|
||||
changes:
|
||||
- 'GitHub Apps now set the Secret Scanning feature on a repository consistently with the API. {% comment %} https://github.com/github/github/pull/193456, https://github.com/github/github/pull/193125 {% endcomment %}'
|
||||
known_issues:
|
||||
- On a freshly set up {% data variables.product.prodname_ghe_server %} without any users, an attacker could create the first admin user.
|
||||
- Custom firewall rules are removed during the upgrade process.
|
||||
- Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
|
||||
- Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
|
||||
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
|
||||
- The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
|
||||
- Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
|
||||
7
data/reusables/dependabot/dependabot-alerts-beta.md
Normal file
7
data/reusables/dependabot/dependabot-alerts-beta.md
Normal file
@@ -0,0 +1,7 @@
|
||||
{% ifversion ghae-issue-4864 %}
|
||||
{% note %}
|
||||
|
||||
**Note:** {% data variables.product.prodname_dependabot_alerts %} is currently in beta and is subject to change.
|
||||
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
@@ -0,0 +1,3 @@
|
||||
{% ifversion ghes or ghae-issue-4864 %}
|
||||
The dependency graph and {% data variables.product.prodname_dependabot_alerts %} are configured at an enterprise level by the enterprise owner. For more information, see "[Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} on your enterprise account](/admin/configuration/managing-connections-between-your-enterprise-accounts/enabling-the-dependency-graph-and-dependabot-alerts-on-your-enterprise-account)."
|
||||
{% endif %}
|
||||
@@ -1,2 +1,5 @@
|
||||
{%- ifversion fpt or ghes > 3.1 or ghae-issue-4910 %}issues, pulls requests, releases, security alerts, or discussions{% endif %}
|
||||
{%- ifversion ghes = 3.1 %}issues, pull requests, releases, or discussions{% endif %}
|
||||
{%- ifversion fpt or ghes > 3.1 or ghae-issue-4910 %}
|
||||
issues, pulls requests, releases, security alerts, or discussions
|
||||
{%- else %}issues, pull requests, releases, or discussions
|
||||
{% endif %}
|
||||
<!-- `else1` statement probably not picked up by GHES 3.1 deprecation script. Will need to review here -->
|
||||
@@ -1,5 +1,3 @@
|
||||
{% ifversion fpt %}
|
||||
{% ifversion fpt or ghes or ghae-issue-4864 %}
|
||||
You can choose the delivery method and frequency of notifications about {% data variables.product.prodname_dependabot_alerts %} on repositories that you are watching or where you have subscribed to notifications for security alerts.
|
||||
{% else %}
|
||||
You can choose the delivery method for notifications about {% ifversion ghes %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %} on repositories that you are watching, as well as the frequency at which the notifications are sent to you.
|
||||
{% endif %}
|
||||
|
||||
@@ -1,15 +1,15 @@
|
||||
{% ifversion fpt or ghes > 3.1 %}
|
||||
{% ifversion fpt %}By default, you will receive notifications:{% endif %}{% ifversion ghes > 3.1 %}By default, if your site administrator has configured email for notifications on your instance, you will receive {% data variables.product.prodname_dependabot_alerts %}:{% endif %}
|
||||
{% ifversion fpt or ghes > 3.1 or ghae-issue-4864 %}
|
||||
{% ifversion fpt %}By default, you will receive notifications:{% endif %}{% ifversion ghes > 3.1 or ghae-issue-4864 %}By default, if your enterprise owner has configured email for notifications on your instance, you will receive {% data variables.product.prodname_dependabot_alerts %}:{% endif %}
|
||||
|
||||
- by email, an email is sent when {% data variables.product.prodname_dependabot %} is enabled for a repository, when a new manifest file is committed to the repository, and when a new vulnerability with a critical or high severity is found (**Email each time a vulnerability is found** option).
|
||||
- in the user interface, a warning is shown in your repository's file and code views if there are any vulnerable dependencies (**UI alerts** option).
|
||||
- on the command line, warnings are displayed as callbacks when you push to repositories with any vulnerable dependencies (**Command Line** option).
|
||||
- in your inbox, as web notifications. A web notification is sent when {% data variables.product.prodname_dependabot %} is enabled for a repository, when a new manifest file is committed to the repository, and when a new vulnerability with a critical or high severity is found (**Web** option).
|
||||
- on {% data variables.product.prodname_mobile %}, as web notifications. For more information, see "[Enabling push notifications with GitHub for mobile](/github/managing-subscriptions-and-notifications-on-github/configuring-notifications#enabling-push-notifications-with-github-for-mobile)."
|
||||
- in your inbox, as web notifications. A web notification is sent when {% data variables.product.prodname_dependabot %} is enabled for a repository, when a new manifest file is committed to the repository, and when a new vulnerability with a critical or high severity is found (**Web** option).{% ifversion not ghae %}
|
||||
- on {% data variables.product.prodname_mobile %}, as web notifications. For more information, see "[Enabling push notifications with GitHub for mobile](/github/managing-subscriptions-and-notifications-on-github/configuring-notifications#enabling-push-notifications-with-github-for-mobile)."{% endif %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** The email and web/{% data variables.product.prodname_mobile %} notifications are:
|
||||
**Note:** The email and web{% ifversion not ghae %}/{% data variables.product.prodname_mobile %}{% endif %} notifications are:
|
||||
|
||||
- _per repository_ when {% data variables.product.prodname_dependabot %} is enabled on the repository, or when a new manifest file is committed to the repository.
|
||||
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
{% ifversion fpt or ghes > 3.1 %}
|
||||
{% ifversion fpt or ghes > 3.1 or ghae-issue-4864 %}
|
||||
Additionally, {% data variables.product.prodname_dotcom %} can review any dependencies added, updated, or removed in a pull request made against the default branch of a repository, and flag any changes that would introduce a vulnerability into your project. This allows you to spot and deal with vulnerable dependencies before, rather than after, they reach your codebase. For more information, see "[Reviewing dependency changes in a pull request](/github/collaborating-with-issues-and-pull-requests/reviewing-dependency-changes-in-a-pull-request)."
|
||||
{% endif %}
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
{% ifversion ghes %}
|
||||
Your site administrator must enable {% data variables.product.prodname_dependabot %} alerts for vulnerable dependencies for {% data variables.product.product_location %} before you can use this feature. For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."
|
||||
{% ifversion ghes or ghae-issue-4864 %}
|
||||
Enterprise owners must enable {% data variables.product.prodname_dependabot %} alerts for vulnerable dependencies for {% data variables.product.product_location %} before you can use this feature. For more information, see "[Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} on your enterprise account](/admin/configuration/managing-connections-between-your-enterprise-accounts/enabling-the-dependency-graph-and-dependabot-alerts-on-your-enterprise-account)."
|
||||
{% endif %}
|
||||
|
||||
@@ -250,6 +250,8 @@ Tableau | Tableau Personal Access Token | tableau_personal_access_token{% endif
|
||||
Telegram | Telegram Bot Token | telegram_bot_token{% endif %}
|
||||
{%- ifversion fpt or ghes > 2.22 or ghae %}
|
||||
Tencent Cloud | Tencent Cloud Secret ID | tencent_cloud_secret_id{% endif %}
|
||||
{%- ifversion fpt or ghes > 3.3 %}
|
||||
Twilio | Twilio Access Token | twilio_access_token{% endif %}
|
||||
{%- ifversion fpt or ghes > 2.22 or ghae %}
|
||||
Twilio | Twilio Account String Identifier | twilio_account_sid{% endif %}
|
||||
{%- ifversion fpt or ghes > 2.22 or ghae %}
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:c00f056234d194cc1ff3c2794d0c99fe9b897c3e65d554d0e7660bb217e8c377
|
||||
size 527124
|
||||
oid sha256:a8356def70ed33b01a0daa1e0e02bf01a422d60fb01fa97dae5f2869c7d70de7
|
||||
size 527440
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:d02663e4645078c48e78abec14178e6cf4781645de707e5766741a9426f485e9
|
||||
size 883421
|
||||
oid sha256:93f772a1e644eff798d9ca2b2a2abd95a62c93200e7a8904ccb863043f2668f1
|
||||
size 883095
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:e42165158525505310f8dd240e8950733b4de9e48d0286f004527845039986b8
|
||||
size 481242
|
||||
oid sha256:5085cba9d37e0b402383f8f3e326cffde01417c930fd2df78359980e434872cb
|
||||
size 481235
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:cb0e19086b51a295819aafb2c7afa9bf4cc6d7e9e7c48e10f8ea103e181eb8b3
|
||||
size 2140913
|
||||
oid sha256:f279e08ddaadecb62e2228e9e2873c9d2d8031cb36268e0c1f7b999f96fef699
|
||||
size 2140522
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:1a62a5714da8d92fa82bd6238599c05d08ee321d20a12ef94c73449356b444e6
|
||||
size 433589
|
||||
oid sha256:659741a9102ee5c69473027ed3440379adc6e1d123ce0866705ababc16aae75d
|
||||
size 433789
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:646bf91ce04c87cbce60b0f6e2da37f0bfea6c26ee59de157369dc77bdeb2838
|
||||
size 1694470
|
||||
oid sha256:488b28b5a01c9af757105a919f5f74da25ec754f14da60bc252dcca60e93fab5
|
||||
size 1694743
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:0f28a6db96160cb3bb938512c06baa97598980cb5cd579b9c4a9fa2cd87f7973
|
||||
size 187227
|
||||
oid sha256:95922d64a40aa341c29ec45489454d49b084197ff46c35dad59ab1128d7d3d41
|
||||
size 187115
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:75497775154e572e8f93985deacd94f2d4be3008465bbd38abfa84ba648c3ac9
|
||||
size 657826
|
||||
oid sha256:e1aef3d19b30ee99b600f4861d5c3b18deb84d74cc6c6f08d9eb9e5d4c121d40
|
||||
size 658160
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:4a11f6c706c95ed7c912a6aaa53276c097ca33db0eb4d69c3070b068fe293bd9
|
||||
size 547800
|
||||
oid sha256:89610819421985327459a57e961cd4052ba8947c4e35c8ca477d9173b288f815
|
||||
size 547796
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:69e2e223c2936f3afa5fcc9f114b4eb55f8d223a38364bffbfa1953b992d61f5
|
||||
size 2898571
|
||||
oid sha256:c9f1f5e87e73e2eb085acc1f4db948fa92fd772c3400723160de500d52a4688e
|
||||
size 2898975
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:4ff804b9f218524eb1bc06548e24aed1dadba6da54362a759401cc7b42dd8995
|
||||
size 456930
|
||||
oid sha256:52cffd2ce7d913a8fd4005b18f85c06dcb17fe1e6949ba1ea67fd64502102490
|
||||
size 457070
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:afdd08127452eb542638ef2ef71a295705ed0487a6758e983558373b60e6cb5e
|
||||
size 1887008
|
||||
oid sha256:782faef7162121b7d2429a0829220bf8f637ca1adf6e03db2afa5258d6bc0251
|
||||
size 1886436
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:b42b53d3de566c599a4f1d32815105b81b5981fd6931838d82bbb75787057a24
|
||||
size 546996
|
||||
oid sha256:1851b648979fc28bc0dff607367b8fdbb59a18362eca09ceac36c7d303e986ac
|
||||
size 547028
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:85b3532bf0bf635cc9637bb6a8a5cee1f8732ffb50332ed31c8c0995b812ebde
|
||||
size 922346
|
||||
oid sha256:78f9d90262ce021878bf75b61f1e83b240eada12f9c22631aebc4a0eeaff7272
|
||||
size 922809
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:bac8d4068198bf95e4670bf83ae6cf02ee156e9821f0fb4db502a037b0ca644e
|
||||
size 501731
|
||||
oid sha256:ff24b07832cff76b970f90bba3f4b5e8ef5f09b079707bb2bf03b5ab28f21f07
|
||||
size 501928
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:1f2da11790a94d1d0880d5be27edb30326e02679ba25337165a6294c5e7ac8c0
|
||||
size 2246774
|
||||
oid sha256:138efbce24d4c856ac287376df530d2c8bdf22d273735345368e2a1a4bad2833
|
||||
size 2247106
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:46aaf86706cdff5d48044d9bd3dcbe314b0b00b5f19d3a8dd33546f8ad95784a
|
||||
size 453269
|
||||
oid sha256:7ec35c64523e6868280d0f9bf1cb96d7518bdc5ab2a540434eeb9c86ea724ec6
|
||||
size 454197
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:2111b8958e6ca0fb74419650fa68cefd269d7ebb21ffbb2630b6f5c2988511b9
|
||||
size 1769251
|
||||
oid sha256:41d2bfcb5d0af671a90150c8bfd0d87d2b69024ae6c941f1fdd84eff0d2688a2
|
||||
size 1769470
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:964e5e733bb1282a47ebcb215e01730543b051cf4bd0860a1db2c99db8cf04b0
|
||||
size 185675
|
||||
oid sha256:476505198f26985c07d48df67b65193eb9cf5188f7c87f916a4685776d7b19eb
|
||||
size 185721
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:81e32b1ff259d683b9cb0a40d2bbaa6ff721d5abafaa8dd67503f438444a400b
|
||||
size 650225
|
||||
oid sha256:015e8fd6c77ed9fd01835fd9b670cab9f4159de8026cf6cf9d50ef0a9be3303d
|
||||
size 650327
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:b92978edcb02652e91f4d3dada3624d71ba648d468aba1e20f6b15bea95213e8
|
||||
size 570003
|
||||
oid sha256:31199b067cdd460fb6f88fec0083b2cb5f09bce372d448f410ad5e9a25d33f02
|
||||
size 570158
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:f3ad35ef65fd07d7133e82b381fc758ff61998c6c00c971c08be4a418f441485
|
||||
size 3022235
|
||||
oid sha256:b49b217eb8b42e78ec9afec4ca03f4c09fb1677e5410106bc84bb4b2ff4a2ef5
|
||||
size 3023912
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:1ce5e856b86f7ae4a0c04fa1c79c0c00badd5ea3d220c2191a41488f64461e1e
|
||||
size 477185
|
||||
oid sha256:f03c346dea1e0fef8384321603cc49cbc086346dccc9af879e11a0dd54eada65
|
||||
size 477211
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:a55dd3c8406bbf2d8b0f75e63d411356416646b15cdd24ab40697a5625677b9b
|
||||
size 1971466
|
||||
oid sha256:559de8f0aec0252819ec3fb6c7c10573d042a18fb904df21b9d3a0396fda765a
|
||||
size 1972002
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:fb3ddf4fdae877350dd544db6bb45494daad98c392c1167fef11df844b9b47aa
|
||||
size 560770
|
||||
oid sha256:9f472189dbe08ddda1370bdf2f2e1ce5f02ac809d8b88005139244d4bde49d1a
|
||||
size 560785
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:219f8e9ee515ebe5d62b6800a2f4bf49d3a51cac2ed948cb28050cad6c30d716
|
||||
size 951005
|
||||
oid sha256:0d8ad367352418c3b1c4c9afda2115351dfdd1fb61d93b3fc04999689d2fecae
|
||||
size 950719
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:deb271ddf8b60452b1fcf7fca9f7c569a88aa8ca5258d9ce6c2b159a6bf3bdf3
|
||||
size 511493
|
||||
oid sha256:85f209a72786a0d0f6cc7422f55470229c1fd28fba8e10cc527c2467ad6fcc62
|
||||
size 511585
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:2965143cc87ccf757f39e99609b0a83f63e0fb05f653da801f27808fe48fa94d
|
||||
size 2304250
|
||||
oid sha256:38f33d1e2213eb26179909c21bceda28d498d06e32a3c8457604bb185daacdb8
|
||||
size 2304581
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:f5ecde6caf6749fde9be74b0c91ab5a980c0f858fdbad5a97fa2fbdfef377f18
|
||||
size 464350
|
||||
oid sha256:94938a6551020b21e326a5450c00d28d27dad39b99315c82523b16a839691fe9
|
||||
size 464365
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:d7c3c64540624bc36e18dabf15d54a1fb1e348c9df48d1427a8437cf3d2db91f
|
||||
size 1812489
|
||||
oid sha256:0ffd54699179f1f6dcd31a30791d77e7a5bc7d103338cca325f537ae6f9e8600
|
||||
size 1813221
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:5c39b354e4813d6a74dcb80756709207fcba958e699ef821f44807da419b606a
|
||||
size 185741
|
||||
oid sha256:0bfc0fc8753452bf1b985e2fc23a8d9987e9b3f4fd8b926a0a61c5dac6da5314
|
||||
size 185700
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:86f8f7c52cdf947a440e16b6532be5012b9d08f65b4a87a539974bf56234b9e5
|
||||
size 650180
|
||||
oid sha256:d7132a6b6b3c30edfebdb606876b33995d183f993766fda83cb2208383307b14
|
||||
size 650089
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:6991c84c8b6ff60897e532c9de2e3b2b3a690d1cad152607cc7d750c5d15cadc
|
||||
size 583227
|
||||
oid sha256:0e80e28034e08902d76964500473b1a81ce0a68a2a24d20fe2f7d14723c890fe
|
||||
size 583237
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:9ffbb75b74f8813e1d4e46f718f3396f2eb7b1235928144f0137caf60769e433
|
||||
size 3103240
|
||||
oid sha256:3a32f35223949a6d1096472e259e5fbc9b4a407168fee1c79db7da0b0d4a826a
|
||||
size 3102326
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:3c6d03a2a0853f605d2715358fd8a5f7d34f81270c967b02cba69a04b4b46011
|
||||
size 487572
|
||||
oid sha256:ed1871848ab7f62cae678b686f1acd1b784a4e8f7ef0b7e665bbf573d2158451
|
||||
size 487591
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:9a9856b586a00474d39ac93723bd153ae37b6d4b573444870467a3739113e66a
|
||||
size 2018264
|
||||
oid sha256:d110f00509feed0d30e67e12ff5142b6f6a2a5be72bd3e19ffceae243db36548
|
||||
size 2018840
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:6c58207d4ee829f40207b0630379b53f54705509b70d5002a1545c1fdd4dea9b
|
||||
size 571695
|
||||
oid sha256:8d97bcffebeb11650ee0a7f0514a70c3eb89bbf76f882afc34f664a0be4efb11
|
||||
size 571661
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:6840afd2fc2841af674af8096909d0a6b63a779d41de5942d3b8b69f225b64a0
|
||||
size 970580
|
||||
oid sha256:d4e58260a9ff9346dfb2eaafb4dab6341fe6071f3471f65e1ac8c5ec9ca89f52
|
||||
size 970450
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:d5f366483948a165bb60887c91f21eed0238a7a545eccd5a98607f74c9f83268
|
||||
size 520327
|
||||
oid sha256:4939e08b81bdec2cca978a42fcf6ace07c155410056279f7e321a4f17143b2a9
|
||||
size 520536
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:f6705a7d573efb4c749d0bdf5f53efe9517679e6f2c2fe675fb283adb6d5bb84
|
||||
size 2352446
|
||||
oid sha256:2a8f09da6eb4c1061f481300ff9e24fd4ecba8acc813fcf41d4889ef6cb70d52
|
||||
size 2351645
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:e28e926555a0a3cf29ffce1a54d9ec87e27a93759015073b76770ae0a3fd19ad
|
||||
size 472896
|
||||
oid sha256:dff569c4f11428a54ba025071541057c50ff7026fbee6ece4f7207b0f1693894
|
||||
size 472021
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:437cbd7c77918e3db8b4044d4e0aafe22d56f0424869de801246f61e495906f0
|
||||
size 1845596
|
||||
oid sha256:d2b1ea6c50957a3bae39950744e3a34ec809c66cae6f86b2035df9b15e866a27
|
||||
size 1845507
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:437c0cc5503759e9fd50eb733b113387c4e05b9657b9eb2e46fc9f32d48900e5
|
||||
size 185711
|
||||
oid sha256:db41328e2020adffd8f1fc2a882ae227856ede6369aa70db4c38c502e588050c
|
||||
size 185720
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:12b04a41c1b26ccd4e26c7031b2aa15d279d7a4de71e4cb9b6c563f0d182251d
|
||||
size 650210
|
||||
oid sha256:ef51c341919a540d149c59a985c66cdc9f6b5857bde36dbeacdff9c36b50e099
|
||||
size 650082
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:f26a8789c1ce79833c8777032351c05b19ec400c45d468f58ef1685be916b300
|
||||
size 593904
|
||||
oid sha256:cad8b8df9d6176cc869780f5715b5d6243a62b2a30e36d2480c43187f425a212
|
||||
size 593796
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:1cf5f6a7018c722984370b0ec23906c8b310c5434f5494470374e1655fcf4d78
|
||||
size 3166473
|
||||
oid sha256:61810283ffa964be6274076c622c425ae6e717f3c14f3e6139934df9e6a376bf
|
||||
size 3167064
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:d642151dbdffe455478a702358a2caccc2ce95e08b5b9c883ddb7d3056a86777
|
||||
size 497155
|
||||
oid sha256:031c8f9c72e2e5fb4a0b3c05931faafd0a32ec8986bfe5354d85e63c7f4f7ebe
|
||||
size 497001
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:289ee94e4e58e0d92727c63eb7c1b661905b8e6ccdb571510730eca47065ec70
|
||||
size 2056030
|
||||
oid sha256:648c9468b2c456ae9f68167264cfc44ffb16d5f2a3cbb75e8b9ca840c8f4acd1
|
||||
size 2055768
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user