0f3cc6e990
Co-authored-by: docs-bot <77750099+docs-bot@users.noreply.github.com> Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Co-authored-by: Pallavi <96553709+pallsama@users.noreply.github.com> Co-authored-by: Stephanie Sabota <80356791+steph-sabotasan@users.noreply.github.com> Co-authored-by: Casey Tucker <dctucker@github.com> Co-authored-by: Hao Jiang <45571951+jianghao0718@users.noreply.github.com> Co-authored-by: Felicity Chapman <felicitymay@github.com> Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
13 KiB
title, intro, shortTitle, redirect_from, permissions, versions, type, topics
| title | intro | shortTitle | redirect_from | permissions | versions | type | topics | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Enabling Dependabot for your enterprise | You can allow users to find and fix vulnerabilities in code dependencies by setting up {% data variables.product.prodname_dependabot_alerts %} and {% data variables.product.prodname_dependabot_updates %}. | Dependabot |
|
Enterprise owners can set up {% data variables.product.prodname_dependabot %}. |
|
how_to |
|
About {% data variables.product.prodname_dependabot %} for {% data variables.product.prodname_ghe_server %}
{% data variables.product.prodname_dependabot %} helps users find and fix vulnerabilities in their dependencies. You must first set up {% data variables.product.prodname_dependabot %} for your enterprise, and then you can enable {% data variables.product.prodname_dependabot_alerts %} to notify users about vulnerable dependencies and {% data variables.product.prodname_dependabot_updates %} to fix the vulnerabilities and keep dependencies updated to the latest version.
{% data variables.product.prodname_dependabot %} is just one of many features available to harden supply chain security for {% data variables.product.prodname_dotcom %}. For more information about the other features, see AUTOTITLE.
About {% data variables.product.prodname_dependabot_alerts %}
With {% data variables.product.prodname_dependabot_alerts %}, {% data variables.product.prodname_dotcom %} identifies insecure dependencies in repositories and creates alerts on {% data variables.product.prodname_ghe_server %}, using data from the {% data variables.product.prodname_advisory_database %} and the dependency graph service.
{% data reusables.repositories.tracks-vulnerabilities %}
After you set up {% data variables.product.prodname_dependabot %} for your enterprise, vulnerability data is synced from the {% data variables.product.prodname_advisory_database %} to your instance once every hour. Only {% data variables.product.company_short %}-reviewed advisories are synchronized. {% data reusables.security-advisory.link-browsing-advisory-db %}
You can also choose to manually sync vulnerability data at any time. For more information, see AUTOTITLE.
Note
When you enable {% data variables.product.prodname_dependabot_alerts %}, no code or information about code from {% data variables.product.prodname_ghe_server %} is uploaded to {% data variables.product.prodname_dotcom_the_website %} or {% data variables.enterprise.data_residency_site %}.
When {% data variables.product.prodname_ghe_server %} receives information about a vulnerability, it identifies repositories that use the affected version of the dependency and generates {% data variables.product.prodname_dependabot_alerts %}. You can choose whether or not to notify users automatically about new {% data variables.product.prodname_dependabot_alerts %}.
For repositories with {% data variables.product.prodname_dependabot_alerts %} enabled, scanning is triggered on any push to the default branch that contains a manifest file or lock file. Additionally, when a new vulnerability record is added, {% data variables.product.prodname_ghe_server %} scans all existing repositories and generates alerts for any repository that is vulnerable. For more information, see AUTOTITLE.
About {% data variables.product.prodname_dependabot_updates %}
After you enable {% data variables.product.prodname_dependabot_alerts %}, you can choose to enable {% data variables.product.prodname_dependabot_updates %}. When {% data variables.product.prodname_dependabot_updates %} are enabled for {% data variables.product.prodname_ghe_server %}, users can configure repositories so that their dependencies are updated and kept secure automatically.
Note
{% data variables.product.prodname_dependabot_updates %} on {% data variables.product.prodname_ghe_server %} requires {% data variables.product.prodname_actions %} with self-hosted runners.
By default, {% data variables.product.prodname_actions %} runners used by {% data variables.product.prodname_dependabot %} need access to the internet, to download updated packages from upstream package managers. For {% data variables.product.prodname_dependabot_updates %} powered by {% data variables.product.prodname_github_connect %}, internet access provides your runners with a token that allows access to dependencies and advisories hosted on {% data variables.product.prodname_dotcom_the_website %}.
You can enable {% data variables.product.prodname_dependabot_updates %} for specific private registries on {% data variables.product.prodname_ghe_server %} instances with limited, or no, internet access. For more information, see AUTOTITLE.
With {% data variables.product.prodname_dependabot_updates %}, {% data variables.product.company_short %} automatically creates pull requests to update dependencies in two ways.
- {% data variables.product.prodname_dependabot_version_updates %}: Users add a {% data variables.product.prodname_dependabot %} configuration file to the repository to enable {% data variables.product.prodname_dependabot %} to create pull requests when a new version of a tracked dependency is released. For more information, see AUTOTITLE.
- {% data variables.product.prodname_dependabot_security_updates %}: Users toggle a repository setting to enable {% data variables.product.prodname_dependabot %} to create pull requests when {% data variables.product.prodname_dotcom %} detects a vulnerability in one of the dependencies of the dependency graph for the repository. For more information, see AUTOTITLE and AUTOTITLE.
Enabling {% data variables.product.prodname_dependabot_alerts %}
Before you can enable {% data variables.product.prodname_dependabot_alerts %}, you must first set up {% data variables.product.prodname_dependabot %} for your enterprise:
- You must enable {% data variables.product.prodname_github_connect %}. For more information, see AUTOTITLE.
- You must enable the dependency graph. For more information, see AUTOTITLE.
{% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.github-connect-tab %}
-
Under "{% data variables.product.prodname_dependabot %}", to the right of "Periodically download the {% data variables.product.prodname_advisory_database %} so that users can receive vulnerability alerts for open source code dependencies", select the dropdown menu and click Enabled without notifications. Optionally, to enable alerts with notifications, click Enabled with notifications.
Note
This setting controls realtime email and web notifications only. Command line interface (CLI) warnings and email digests will still be delivered regardless of which option is selected.
Tip
We recommend configuring {% data variables.product.prodname_dependabot_alerts %} without notifications for the first few days to avoid an overload of realtime notifications. After a few days, you can enable notifications to receive {% data variables.product.prodname_dependabot_alerts %} as usual.
You can now enable {% data variables.product.prodname_dependabot_alerts %} for all existing or new private and internal repositories in the enterprise settings page for "{% data variables.product.UI_advanced_security_ent %}." Alternatively, repository administrators and organization owners can enable {% data variables.product.prodname_dependabot_alerts %} for each repository and organization. Public repositories are always enabled by default. For more information, see AUTOTITLE.
Enabling {% data variables.product.prodname_dependabot_updates %}
Before you can enable {% data variables.product.prodname_dependabot_updates %}:
- You must enable {% data variables.product.prodname_dependabot_alerts %} for your enterprise. For more information, see "Enabling {% data variables.product.prodname_dependabot_alerts %}" above.
- You must enable TLS. {% data variables.product.prodname_dependabot_updates %} run on self-hosted runners, which need to have TLS enabled. For more information, see AUTOTITLE.
- You must configure {% data variables.product.prodname_ghe_server %} to use {% data variables.product.prodname_actions %} with self-hosted runners. For more information, see AUTOTITLE.
{% data variables.product.prodname_dependabot_updates %} are not supported on {% data variables.product.prodname_ghe_server %} if your enterprise uses clustering.
Note
After you enable the dependency graph, you can use the {% data variables.product.prodname_dependabot %} action. The action will raise an error if any vulnerabilities or invalid licenses are being introduced. {% data reusables.actions.action-bundled-actions %}
{% data reusables.enterprise_site_admin_settings.sign-in %} {% data reusables.enterprise_site_admin_settings.access-settings %} {% data reusables.enterprise_site_admin_settings.management-console %} {% data reusables.enterprise_management_console.advanced-security-tab %}
- Under "Security", select {% data variables.product.prodname_dependabot_updates %}. {% data reusables.enterprise_management_console.save-settings %}
- Click Visit your instance.
- Configure dedicated self-hosted runners to create the pull requests that will update dependencies. This is required because the workflows use a specific runner label. For more information, see AUTOTITLE. {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.github-connect-tab %}
- Under "{% data variables.product.prodname_dependabot %}", to the right of "Users can easily upgrade to non-vulnerable open source code dependencies", click Enable.
When you enable {% data variables.product.prodname_dependabot_alerts %}, you should consider also setting up {% data variables.product.prodname_actions %} for {% data variables.product.prodname_dependabot_security_updates %}. This feature allows developers to fix vulnerabilities in their dependencies. For more information, see AUTOTITLE.
If you need enhanced security, we recommend configuring {% data variables.product.prodname_dependabot %} to use private registries. For more information, see AUTOTITLE.