Supply chain security

GitHub helps you secure your supply chain, from understanding the dependencies in your environment, to knowing about vulnerabilities in those dependencies, and patching them.

Guidance and recommendations for maintaining the dependencies you use, including GitHub's security products that can help.

You can use the dependency graph to identify all your project's dependencies. The dependency graph supports a range of popular package ecosystems.

Dependency review lets you catch insecure dependencies before you introduce them to your environment, and provides information on license, dependents, and age of dependencies.

Dependabot alerts help you find and fix vulnerable dependencies before they become security risks.

Dependabot can fix vulnerable dependencies for you by raising pull requests with security updates.

You can use Dependabot to keep the packages you use updated to the latest versions.

Dependabot auto-triage rules are a powerful tool to help you better manage your security alerts at scale. GitHub presets are rules curated by GitHub that you can use to filter out a substantial amount of false positives. Custom auto-triage rules provide control over which alerts are ignored, snoozed, or trigger a Dependabot security update to resolve the alert.