Cybersecurity, GitHub Dependabot security alerts
An overview of the Dependabot security tool provided by GitHub.
Dependabot is a GitHub provided service that creates alerts when it
detects vulnerable dependencies in your repository. Alerts are displayed
on the main page of the repository, with further details available on
the Security tab under “Dependabot Alerts”. Maintainers of the
repository are also notified based on their notification preferences.
This article provides an overview of the Dependabot code scanning tool in GitHub repositories to help development teams to comply with Illinois Cybersecurity Standards, including IT13.2.
For a list of currently supported package managers, see Supported Package Ecosystems.
Enabling Dependabot Vulnerability Alerts
When a vulnerable dependency is detected, alerts are displayed on GitHub and dispatched to maintainers according to their notification preferences. The alerts include information about the affected version as well as the fixed version.
If Dependabot security updates are enabled the alert will also include an automatically generated pull request that updates the dependency.
For an individual repository, go the settings page and click Security & analysis, then click the Enable button next to Dependency graph and Dependabot alerts.
Enabling Dependabot Version Updates
- Please see this Dependabot automated Pull Request for an example of remediation for a vulnerable dependency. The pull request includes a link to the Dependabot alert that details the vulnerability, as well as other changelog information from the new version of the dependencies. When the pull request is created, any rules set up for the target branch must be satisfied, such as team approvals or automated tests.