Merge pull request #27144 from github/sophietheking-6460
Add links to the end-to-end supply chain articles and to the overview article from the supply chain docs
This commit is contained in:
Sophie
@@ -19,6 +19,8 @@ topics:
|
||||
|
||||
At its core, end-to-end software supply chain security is about making sure the code you distribute hasn't been tampered with. Previously, attackers focused on targeting dependencies you use, for example libraries and frameworks. Attackers have now expanded their focus to include targeting user accounts and build processes, and so those systems must be defended as well.
|
||||
|
||||
For information about features in {% data variables.product.prodname_dotcom %} that can help you secure dependencies, see "[About supply chain security](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security)."
|
||||
|
||||
## About these guides
|
||||
|
||||
This series of guides explains how to think about securing your end-to-end supply chain: personal account, code, and build processes. Each guide explains the risk to that area, and introduces the {% data variables.product.product_name %} features that can help you address that risk.
|
||||
|
||||
@@ -37,6 +37,8 @@ For more information about configuring dependency review, see "[Configuring depe
|
||||
|
||||
Dependency review supports the same languages and package management ecosystems as the dependency graph. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)."
|
||||
|
||||
For more information on supply chain features available on {% data variables.product.product_name %}, see "[About supply chain security](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security)."
|
||||
|
||||
{% ifversion ghec or ghes %}
|
||||
## Enabling dependency review
|
||||
|
||||
|
||||
@@ -54,6 +54,10 @@ Other supply chain features on {% data variables.product.prodname_dotcom %} rely
|
||||
{% data variables.product.prodname_dependabot %} cross-references dependency data provided by the dependency graph with the list of known vulnerabilities published in the {% data variables.product.prodname_advisory_database %}, scans your dependencies and generates {% data variables.product.prodname_dependabot_alerts %} when a potential vulnerability is detected.
|
||||
{% endif %}
|
||||
|
||||
{% ifversion fpt or ghec or ghes %}
|
||||
For best practice guides on end-to-end supply chain security including the protection of personal accounts, code, and build processes, see "[Securing your end-to-end supply chain](/code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview)."
|
||||
{% endif %}
|
||||
|
||||
## Feature overview
|
||||
|
||||
### What is the dependency graph
|
||||
|
||||
@@ -44,6 +44,8 @@ The dependency graph includes all the dependencies of a repository that are deta
|
||||
|
||||
The dependency graph identifies indirect dependencies{% ifversion fpt or ghec %} either explicitly from a lock file or by checking the dependencies of your direct dependencies. For the most reliable graph, you should use lock files (or their equivalent) because they define exactly which versions of the direct and indirect dependencies you currently use. If you use lock files, you also ensure that all contributors to the repository are using the same versions, which will make it easier for you to test and debug code{% else %} from the lock files{% endif %}.
|
||||
|
||||
For more information on how {% data variables.product.product_name %} helps you understand the dependencies in your environment, see "[About supply chain security](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security)."
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
|
||||
## Dependents included
|
||||
|
||||
Reference in New Issue
Block a user