About Dependabot alerts for vulnerable dependencies
漏洞是项目代码中的问题,可能被利用来损害机密性、完整性或者该项目或其他使用其代码的项目的可用性。 漏洞的类型、严重性和攻击方法各不相同。
Dependabot scans code when a new advisory is added to the GitHub Advisory Database or the dependency graph for a repository changes. When vulnerable dependencies are detected, Dependabot alerts are generated. For more information, see 关于 Dependabot 警报.
如果已启用存储库的 Dependabot security updates,警报中还会包含一个拉取请求链接,用于将清单或锁定文件更新到可解决该漏洞的最低版本。 有关详细信息,请参阅“关于 Dependabot 安全更新”。
注意
An enterprise owner must first set up Dependabot for your enterprise before you can configure Dependabot alerts. For more information, see 为企业启用 Dependabot.
You can enable or disable Dependabot alerts for:
- Your personal account
- Your repository
- Your organization
- Your enterprise
此外,可以使用 Dependabot 自动分类规则 大规模管理警报,以便自动关闭或推迟警报,并指定希望 Dependabot 打开拉取请求的警报。 有关不同类型的自动会审规则以及仓库是否符合条件的信息,请参阅“关于 Dependabot 自动分类规则”。
Managing Dependabot alerts for your personal account
Dependabot alerts for your repositories can be enabled or disabled by your enterprise owner. For more information, see 为企业启用 Dependabot.
Managing Dependabot alerts for your repository
You can manage Dependabot alerts for your public, private or internal repository.
By default, we notify people with write, maintain, or admin permissions in the affected repositories about new Dependabot alerts. GitHub never publicly discloses insecure dependencies for any repository. You can also make Dependabot alerts visible to additional people or teams working on repositories that you own or have admin permissions for.
An enterprise owner must first set up Dependabot for your enterprise before you can manage Dependabot alerts for your repository. For more information, see 为企业启用 Dependabot.
Enabling or disabling Dependabot alerts for a repository
-
在 GitHub 上,导航到存储库的主页面。
-
在仓库名称下,单击 “Settings”****。 如果看不到“设置”选项卡,请选择“”下拉菜单,然后单击“设置”。
-
在边栏的“Security”部分中,单击“ Code security”****。
-
Under "Code security", to the right of Dependabot alerts, click Enable to enable alerts or Disable to disable alerts.
Managing Dependabot alerts for your organization
You can enable Dependabot alerts for all eligible repositories in your organization. For more information, see About enabling security features at scale.
Managing Dependabot alerts for your enterprise
Security configurations, which are collections of security settings, allow you to manage Dependabot alerts for your enterprise. See 为企业创建自定义安全配置.