Cybersecurity, GitHub Dependabot security alerts
An overview of the Dependabot security tool provided by GitHub.
About Dependabot
Dependabot is a GitHub provided service that creates alerts when it detects vulnerable dependencies in your repository. Alerts are displayed on the main page of the repository, with further details available on the Security tab under “Dependabot Alerts”. Maintainers of the repository are also notified based on their notification preferences.
This article provides an overview of the Dependabot code scanning tool in GitHub repositories to help development teams to comply with Illinois Cybersecurity Standards, including IT13.2.
Note: Enabling security and analysis features such as Dependabot requires GitHub to perform read-only analysis on your repository.
For a list of currently supported package managers, see Supported Package Ecosystems.
For a list of currently supported package managers, see Supported Package Ecosystems.
Enabling Dependabot Vulnerability Alerts
Dependabot will send alerts when a new vulnerability is added to the GitHub Advisory Database or when the dependency graph for your repository changes, such as when a new commit adds a dependency to the project. Dependabot can also display information about vulnerable dependencies in a Pull Request.
When a vulnerable dependency is detected, alerts are displayed on GitHub and dispatched to maintainers according to their notification preferences. The alerts include information about the affected version as well as the fixed version.
If Dependabot security updates are enabled the alert will also include an automatically generated pull request that updates the dependency.
When a vulnerable dependency is detected, alerts are displayed on GitHub and dispatched to maintainers according to their notification preferences. The alerts include information about the affected version as well as the fixed version.
If Dependabot security updates are enabled the alert will also include an automatically generated pull request that updates the dependency.
Dependabot is enabled in public GitHub repositories by default. For private repositories, an owner or person with admin access, can enable Dependabot by turning on the dependency graph and Dependabot alerts. Dependabot can also be enabled at the user account or organization level.
For an individual repository, go the settings page and click Security & analysis, then click the Enable button next to Dependency graph and Dependabot alerts.
For an individual repository, go the settings page and click Security & analysis, then click the Enable button next to Dependency graph and Dependabot alerts.
Managing Dependabot Version Updates
Dependabot can also be configured to update outdated dependencies via automated pull request. Campus teams using this feature have reported reduced friction applying necessary security updates to code libraries.
Examples
- Please see this Dependabot automated Pull Request for an example of remediation for a vulnerable dependency. The pull request includes a link to the Dependabot alert that details the vulnerability, as well as other CHANGELOG information from the new version of the dependencies. To complete the proposed update, any rules set up for the target branch must be satisfied, such as team approvals or automated tests.