9.7 KiB
title, intro, miniTocMaxHeadingLevel, shortTitle, redirect_from, permissions, versions, type, topics
| title | intro | miniTocMaxHeadingLevel | shortTitle | redirect_from | permissions | versions | type | topics | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Enabling the dependency graph and Dependabot alerts for your enterprise | You can allow users on {% data variables.product.product_location %} to find and fix vulnerabilities in code dependencies by enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. | 3 | Dependabot |
|
Enterprise owners who are also owners of the connected {% data variables.product.prodname_ghe_cloud %} organization or enterprise account can enable the dependency graph and {% data variables.product.prodname_dependabot_alerts %} on {% data variables.product.product_location %}. |
|
how_to |
|
About alerts for vulnerable dependencies on {% data variables.product.product_location %}
{% data reusables.dependabot.dependabot-alerts-beta %}
{% data variables.product.prodname_dotcom %} identifies vulnerable dependencies in repositories and creates {% data variables.product.prodname_dependabot_alerts %} on {% data variables.product.product_location %}, using:
- Data from the {% data variables.product.prodname_advisory_database %}
- The dependency graph service
For more information about these features, see "About the dependency graph" and "About alerts for vulnerable dependencies."
About synchronization of data from the {% data variables.product.prodname_advisory_database %}
{% data reusables.repositories.tracks-vulnerabilities %}
You can connect {% data variables.product.product_location %} to {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_github_connect %}. Once connected, vulnerability data is synced from the {% data variables.product.prodname_advisory_database %} to your instance once every hour. You can also choose to manually sync vulnerability data at any time. No code or information about code from {% data variables.product.product_location %} is uploaded to {% data variables.product.prodname_dotcom_the_website %}.
Only {% data variables.product.company_short %}-reviewed advisories are synchronized. {% data reusables.security-advisory.link-browsing-advisory-db %}
About scanning of repositories with synchronized data from the {% data variables.product.prodname_advisory_database %}
For repositories with {% data variables.product.prodname_dependabot_alerts %} enabled, scanning is triggered on any push to the default branch that contains a manifest file or lock file. Additionally, when a new vulnerability record is added to the instance, {% data variables.product.prodname_ghe_server %} scans all existing repositories in that instance and generates alerts for any repository that is vulnerable. For more information, see "Detection of vulnerable dependencies."
About generation of {% data variables.product.prodname_dependabot_alerts %}
If you enable vulnerability detection, when {% data variables.product.product_location %} receives information about a vulnerability, it identifies repositories in your instance that use the affected version of the dependency and generates {% data variables.product.prodname_dependabot_alerts %}. You can choose whether or not to notify users automatically about new {% data variables.product.prodname_dependabot_alerts %}.
Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies on {% data variables.product.product_location %}
Prerequisites
For {% data variables.product.product_location %} to detect vulnerable dependencies and generate {% data variables.product.prodname_dependabot_alerts %}:
- You must enable {% data variables.product.prodname_github_connect %}. {% ifversion ghae %}This also enables the dependency graph service.{% endif %}{% ifversion ghes or ghae %}For more information, see "Managing {% data variables.product.prodname_github_connect %}."{% endif %} {% ifversion ghes %}- You must enable the dependency graph service.{% endif %}
- You must enable vulnerability scanning.
{% ifversion ghes %} {% ifversion ghes > 3.1 %} You can enable the dependency graph via the {% data variables.enterprise.management_console %} or the administrative shell. We recommend you follow the {% data variables.enterprise.management_console %} route unless {% data variables.product.product_location %} uses clustering.
Enabling the dependency graph via the {% data variables.enterprise.management_console %}
{% data reusables.enterprise_site_admin_settings.sign-in %} {% data reusables.enterprise_site_admin_settings.access-settings %} {% data reusables.enterprise_site_admin_settings.management-console %} {% data reusables.enterprise_management_console.advanced-security-tab %}
- Under "Security," click Dependency graph.
{% data reusables.enterprise_management_console.save-settings %} - Click Visit your instance.
Enabling the dependency graph via the administrative shell
{% endif %}{% ifversion ghes < 3.2 %}
Enabling the dependency graph
{% endif %} {% data reusables.enterprise_site_admin_settings.sign-in %}
- In the administrative shell, enable the dependency graph on {% data variables.product.product_location %}:
{% ifversion ghes > 3.1 %}```shell
ghe-config app.dependency-graph.enabled true
{% else %}```shell ghe-config app.github.dependency-graph-enabled true
ghe-config app.github.vulnerability-alerting-and-settings-enabled true ```{% endif %} {% note %}
Note: For more information about enabling access to the administrative shell via SSH, see "[Accessing the administrative shell (SSH)](/enterprise/{{ currentVersion }}/admin/configuration/accessing-the-administrative-shell-ssh)."
{% endnote %}
2. Apply the configuration.
shell $ ghe-config-apply
3. Return to {% data variables.product.prodname_ghe_server %}.
{% endif %}
Enabling {% data variables.product.prodname_dependabot_alerts %}
{% ifversion ghes %} Before enabling {% data variables.product.prodname_dependabot_alerts %} for your instance, you need to enable the dependency graph. For more information, see above. {% endif %}
{% data reusables.enterprise-accounts.access-enterprise %} {%- ifversion ghes < 3.1 %}{% data reusables.enterprise-accounts.settings-tab %}{% endif %} {% data reusables.enterprise-accounts.github-connect-tab %}
-
Under "Repositories can be scanned for vulnerabilities", select the drop-down menu and click Enabled without notifications. Optionally, to enable alerts with notifications, click Enabled with notifications.
{% tip %}
Tip: We recommend configuring {% data variables.product.prodname_dependabot_alerts %} without notifications for the first few days to avoid an overload of emails. After a few days, you can enable notifications to receive {% data variables.product.prodname_dependabot_alerts %} as usual.
{% endtip %}
{% ifversion fpt or ghec or ghes > 3.2 %} When you enable {% data variables.product.prodname_dependabot_alerts %}, you should consider also setting up {% data variables.product.prodname_actions %} for {% data variables.product.prodname_dependabot_security_updates %}. This feature allows developers to fix vulnerabilities in their dependencies. For more information, see "Setting up {% data variables.product.prodname_dependabot %} security and version updates on your enterprise." {% endif %}
Viewing vulnerable dependencies on {% data variables.product.product_location %}
You can view all vulnerabilities in {% data variables.product.product_location %} and manually sync vulnerability data from {% data variables.product.prodname_dotcom_the_website %} to update the list.
{% data reusables.enterprise_site_admin_settings.access-settings %}
2. In the left sidebar, click Vulnerabilities.
3. To sync vulnerability data, click Sync Vulnerabilities now.
