About global security advisories

Global security advisories are CVEs and GitHub-originated advisories affecting the open source world, located in the GitHub Advisory Database.

In this article

About global security advisories

Global advisories live in the GitHub Advisory Database and are grouped into three categories:

  • GitHub-reviewed advisories are mapped to packages in ecosystems we support. We carefully review each advisory for validity and ensure that they contain a full description and both ecosystem and package information.
  • Unreviewed advisories are published automatically into the GitHub Advisory Database, directly from the National Vulnerability Database feed.
  • Malware advisories relate to vulnerabilities caused by malware and are exclusive to the npm ecosystem. We publish them automatically into the GitHub Advisory Database, directly from information provided by the npm security team.

Note

Dependabot doesn't generate Dependabot alerts for unreviewed and malware advisories.

Every repository advisory is reviewed by the GitHub Security Lab curation team for consideration as a global advisory. We publish security advisories for any of the ecosystems supported by the dependency graph to the GitHub Advisory Database.

Anyone can suggest improvements on any global security advisory. You can edit or add any detail, including additionally affected ecosystems, severity level or description of who is impacted. The GitHub Security Lab curation team will review the submitted improvements.

Next steps

Access advisories in the GitHub Advisory Database. See Browsing security advisories in the GitHub Advisory Database.