Verwalten von Dependabot-Schadsoftwarewarnungen

Finden und priorisieren Sie bösartige Abhängigkeiten in Ihrem Projekt mit Dependabot malware alerts.

Wer kann dieses Feature verwenden?

Repositories mit Dependabot alerts aktiviert

In diesem Artikel

Viewing malware alerts for your repository

  1. On GitHub, navigate to the main page of the repository.
  2. Under the repository name, click Security. If you cannot see the "Security" tab, select the dropdown menu, and then click Security.
    Screenshot of a repository header showing the tabs. The "Security" tab is highlighted by a dark orange outline.
  3. In the "Findings" section of the sidebar, select the Dependabot dropdown menu, then click Malware.
  4. Optionally, use the search bar or filter dropdown menus to find alerts matching specific criteria.

Viewing malware alerts for your organization

  1. In the upper-right corner of GitHub, click your profile picture, then click Organizations.

  2. Click the name of the organization you want to view.

  3. Under your organization name, click Security.

    Screenshot of the horizontal navigation bar for an organization. A tab, labeled with a shield icon and "Security," is outlined in dark orange.

  4. In the "Findings" section of the sidebar, select the Dependabot dropdown menu, then click Malware.

  5. Optionally, use the search bar or filter dropdown menus to find alerts matching specific criteria.

Viewing malware alerts for your enterprise

  1. Navigate to your enterprise. For example, from the Enterprises page on GitHub.com.
  2. At the top of the page, click the Security tab.
  3. In the "Findings" section of the sidebar, select the Dependabot dropdown menu, then click Malware.
  4. Optionally, use the search bar or filter dropdown menus to find alerts matching specific criteria.

Dismissing malware alerts

  1. Navigate to the Dependabot malware alerts view for your repository, organization, or enterprise.
  2. Click the name of the malware alert you want to dismiss.
  3. In the top-right corner, click Dismiss alert , then select a reason for dismissing the alert.
  4. Optionally, write a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting.
  5. Click Dismiss alert.

Reopening a dismissed malware alert

  1. Navigate to the Dependabot malware alerts view for your repository, organization, or enterprise.

  2. To view closed alerts, click NUMBER Closed.

    Screenshot showing the list of Dependabot alerts with the "Closed" tab highlighted with a dark orange outline.

  3. Click the alert that you would like to view or update.

  4. In the top-right corner, click Reopen.

Next steps

To help reduce false positives for internal packages and low-risk alerts, you can configure Dependabot auto-triage rules to automatically dismiss alerts that meet certain criteria. See About Dependabot auto-triage rules.