About notifications for Dependabot alerts
When Dependabot detects vulnerable dependencies in your repositories, we generate a Dependabot alert and display it on the Security tab for the repository. GitHub notifies the maintainers of affected repositories about the new alert according to their notification preferences.
Dependabot 不会为恶意软件生成 Dependabot alerts。 有关详细信息,请参阅“关于 GitHub 公告数据库”。
Regardless of your notification preferences, when Dependabot is first enabled, GitHub does not send notifications for all vulnerable dependencies found in your repository. Instead, you will receive notifications for new vulnerable dependencies identified after Dependabot is enabled, if your notification preferences allow it.
By default, if your enterprise owner has configured email for notifications on your enterprise, you will receive Dependabot alerts by email.
Enterprise owners can also enable Dependabot alerts without notifications. For more information, see 为企业启用 Dependabot.
Configuring notifications for Dependabot alerts
When a new Dependabot alert is detected, GitHub notifies all users with access to Dependabot alerts for the repository according to their notification preferences. You will receive alerts if you are watching the repository, have enabled notifications for security alerts or for all the activity on the repository, and are not ignoring the repository. For more information, see 配置通知.
You can configure notification settings for yourself or your organization from the Manage notifications drop-down shown at the top of each page. For more information, see 配置通知.
可以选择通知的传递方法,以及通知发送给你的频率。 默认情况下,如果企业所有者在实例上已配置通知电子邮件,你将收到 Dependabot alerts:
- 在你的收件箱中,作为 Web 通知。 当为存储库启用 Dependabot、将新的清单文件提交到存储库以及发现具有极高或高严重性的新漏洞时,将发送一条 Web 通知(GitHub 选项)。
- 通过电子邮件。 当为存储库启用 Dependabot、将新的清单文件提交到存储库以及发现具有极高或高严重性的新漏洞时,将发送一封电子邮件(“电子邮件”选项)。
- 在命令行上。 当推送到具有任何不安全依赖项的存储库(“CLI”选项)时,警告会显示为回调。
- 在 GitHub Mobile 上,作为 Web 通知。 有关详细信息,请参阅“配置通知”。
注意
电子邮件和网页/GitHub Mobile 通知是:
- 按存储库:在存储库中启用 Dependabot 时,或者当新的清单文件提交到存储库时。
- 按组织:当发现新的漏洞时。
- 当发现新的漏洞时发送。 GitHub 在更新漏洞时不会发送通知。
可以自定义有关 Dependabot alerts 的通知方式。 例如,可以使用“以电子邮件发送漏洞摘要”和“每周安全性电子邮件摘要”选项通过电子邮件接收最多 10 个存储库的每周警报摘要 。
注意
You can filter your notifications on GitHub to show Dependabot alerts. For more information, see 从收件箱管理通知.
影响一个或多个存储库的 Dependabot alerts 的电子邮件通知包括 X-GitHub-Severity 标头字段。 可以使用 X-GitHub-Severity 标头字段的值来筛选 Dependabot alerts 的电子邮件通知。 For more information, see 配置通知.
How to reduce the noise from notifications for Dependabot alerts
If you are concerned about receiving too many notifications for Dependabot alerts, we recommend leveraging Dependabot 自动分类规则 to auto-dismiss low-risk alerts. Rules are applied before alert notifications are sent, so alerts that are auto-dismissed upon creation do not send notifications. For more information, see 关于 Dependabot 自动分类规则.
Alternatively, you can opt into the weekly email digest, or even completely turn off notifications while keeping Dependabot alerts enabled. You can still navigate to see your Dependabot alerts in your repository's Security tab. For more information, see 查看和更新 Dependabot 警报.