Publication d’un avis de sécurité de dépôt

Vous pouvez publier un avis de sécurité pour alerter votre communauté sur une vulnérabilité de sécurité dans votre projet.

Qui peut utiliser cette fonctionnalité ?

Propriétaires de référentiels, propriétaire d’organisations, gestionnaires de sécurité et utilisateurs avec le rôle d’administrateur

Dans cet article

Remarque

This article applies to repository-level security advisories in a public repository. To edit a global advisory in the GitHub Advisory Database, see Editing security advisories in the GitHub Advisory Database.

Prerequisites

Before you can publish a security advisory or request a CVE identification number, you must create a draft security advisory and provide information about the versions of your project affected by the security vulnerability. See Creating a repository security advisory and Editing a repository security advisory.

Publishing a security advisory

Avertissement

Whenever possible, you should add a fix version to a security advisory prior to publishing the advisory. If you don't, the advisory will be published without a fixed version, and Dependabot will alert your users about the issue without offering any safe version to update to.

  1. On GitHub, navigate to the main page of the repository.

  2. Under the repository name, click Security. If you cannot see the "Security" tab, select the dropdown menu, and then click Security.

    Screenshot of a repository header showing the tabs. The "Security" tab is highlighted by a dark orange outline.

  3. In the left sidebar, under "Reporting", click Advisories.

  4. In the "Security Advisories" list, click the name of the security advisory you'd like to publish.

  5. Scroll to the bottom of the advisory form and click Publish advisory.

    • If you selected "Request CVE ID later", you will see a Request CVE button in place of the Publish advisory button.

    Screenshot of the "Required advisory information has been provided" area of the page. The "Publish advisory" button is outlined in orange.

Remarque

Publishing a security advisory deletes the temporary private fork for the security advisory.

Requesting a CVE identification number (Optional)

If you don't already have a CVE identification number for a security vulnerability in your project, you can request one from GitHub.

  1. On GitHub, navigate to the main page of the repository.

  2. Under the repository name, click Security. If you cannot see the "Security" tab, select the dropdown menu, and then click Security.

    Screenshot of a repository header showing the tabs. The "Security" tab is highlighted by a dark orange outline.

  3. In the left sidebar, under "Reporting", click Advisories.

  4. In the "Security Advisories" list, click the name of the security advisory you'd like to request a CVE identification number for.

  5. Scroll to the bottom of the advisory form and click Request CVE.

    Screenshot of the "Required advisory information has been provided" area of the page. The "Request CVE" button is outlined in dark orange.

Further reading