jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-25 02:17:36 -05:00
Code Issues Projects Releases Wiki Activity

Dependency graph has to be enabled manually for public forks (#54296)

Browse Source 
Co-authored-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
This commit is contained in:
Ben Ahmady
2025-02-10 15:55:50 +00:00
committed by GitHub
parent e154a557a8
commit fbb550a128
8 changed files with 19 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md
View File

@@ -145,11 +145,11 @@ Public repositories:
You can also enable or disable Dependabot alerts for all repositories owned by your user account or organization. For more information, see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account) or [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization).
Private repositories:
* **Dependency graph:** Not enabled by default. The feature can be enabled by repository administrators. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph-for-a-private-repository).
* **Dependency graph:** Not enabled by default. The feature can be enabled by repository administrators. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph).
{% ifversion fpt %}
* **Dependency review:** Available in private repositories owned by organizations that use {% data variables.product.prodname_ghe_cloud %} and have a license for {% data variables.product.prodname_GH_advanced_security %}. For more information, see the [{% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).
{% elsif ghec %}
* **Dependency review:** Available in private repositories owned by organizations provided you have a license for {% data variables.product.prodname_GH_advanced_security %} and the dependency graph enabled. For more information, see [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security) and [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph-for-a-private-repository).
* **Dependency review:** Available in private repositories owned by organizations provided you have a license for {% data variables.product.prodname_GH_advanced_security %} and the dependency graph enabled. For more information, see [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security) and [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph).
{% endif %}
* **{% data variables.product.prodname_dependabot_alerts %}:** Not enabled by default. Owners of private repositories, or people with admin access, can enable {% data variables.product.prodname_dependabot_alerts %} by enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for their repositories.
You can also enable or disable Dependabot alerts for all repositories owned by your user account or organization. For more information, see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account) or [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization).

27
content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md
View File

@@ -21,32 +21,25 @@ shortTitle: Configure dependency graph
For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
{% ifversion fpt or ghec %}
## Configuring the dependency graph
To generate a dependency graph, {% data variables.product.github %} needs read-only access to the dependency manifest and lock files for a repository. The dependency graph is automatically generated for all public repositories and you can choose to enable it for private {% ifversion ghec %}and internal {% endif %}repositories. For more information on viewing the dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository).
{% data reusables.dependency-submission.dependency-submission-link %}
{% endif %}
{% ifversion ghes %}
## Enabling the dependency graph
{% data reusables.dependabot.ghes-enabling-dependency-graph %}{% endif %}
{% data reusables.dependabot.ghes-enabling-dependency-graph %}
{% ifversion ghec %}
{% endif %}
### Enabling and disabling the dependency graph for a private or internal repository
{% ifversion fpt or ghec %}
{% endif %}{% ifversion fpt %}
## Configuring the dependency graph
### Enabling and disabling the dependency graph for a private repository
To generate a dependency graph, {% data variables.product.github %} needs read-only access to the dependency manifest and lock files for a repository. The dependency graph is automatically generated for all public repositories and you can choose to enable it for private {% ifversion ghec %}and internal {% endif %}repositories, and public forks. For more information on viewing the dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository).
{% endif %}{% ifversion fpt or ghec %}
{% data reusables.dependabot.enabling-disabling-dependency-graph-private-repo %}
{% data reusables.dependency-submission.dependency-submission-link %}
### Enabling and disabling the dependency graph
{% data reusables.dependabot.enabling-disabling-dependency-graph-private-repo-public-fork %}
{% endif %}

2
content/code-security/supply-chain-security/understanding-your-software-supply-chain/customizing-your-dependency-review-action-configuration.md
View File

@@ -24,7 +24,7 @@ This guide shows you how to add three very common customizations: failing builds
This guide assumes that:
* Dependency graph is enabled for the repository.{% ifversion fpt or ghec %} Dependency graph is enabled by default for public repositories and you can choose to enable it for private repositories.{% endif %} For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository).
* Dependency graph is enabled for the repository.{% ifversion fpt or ghec %} Dependency graph is enabled by default for public repositories and you can choose to enable it for private{% ifversion ghec %} and internal{% endif %} repositories, and public forks.{% endif %} For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository).
* {% data variables.product.prodname_actions %} is enabled for the repository. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository).
## Step 1: Adding the dependency review action

4
content/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md
View File

@@ -77,9 +77,9 @@ If vulnerabilities have been detected in the repository, these are shown at the
For public repositories, the dependents view shows how the repository is used by other repositories. To show only the repositories that contain a library in a package manager, click **NUMBER Packages** immediately above the list of dependent repositories. The dependent counts are approximate and may not always match the dependents listed.
## Enabling and disabling the dependency graph for a private repository
## Enabling and disabling the dependency graph
{% data reusables.dependabot.enabling-disabling-dependency-graph-private-repo %}
{% data reusables.dependabot.enabling-disabling-dependency-graph-private-repo-public-fork %}
## Changing the "Used by" package