Topics Map > Help and Training
Topics Map > Safety and Security
Cybersecurity, GitHub Dependabot security alerts
Dependabot is a GitHub provided service that creates alerts when it detects vulnerable dependencies in your repository. Alerts are displayed on the main page of the repository, with further details available on the Security tab under “Dependabot Alerts”. Maintainers of the repository are also notified based on their notification preferences.
This article provides an overview of the Dependabot code scanning tool in GitHub repositories to help development teams to comply with Illinois Cybersecurity Standards, including IT13.2.
For a list of currently supported package managers, see Supported Package Ecosystems.
Enabling Dependabot Vulnerability Alerts
When a vulnerable dependency is detected, alerts are displayed on GitHub and dispatched to maintainers according to their notification preferences. The alerts include information about the affected version as well as the fixed version.
If Dependabot security updates are enabled the alert will also include an automatically generated pull request that updates the dependency.
For an individual repository, go the settings page and click Security & analysis, then click the Enable button next to Dependency graph and Dependabot alerts.
Managing Dependabot Version Updates
- Please see this Dependabot automated Pull Request for an example of remediation for a vulnerable dependency. The pull request includes a link to the Dependabot alert that details the vulnerability, as well as other CHANGELOG information from the new version of the dependencies. To complete the proposed update, any rules set up for the target branch must be satisfied, such as team approvals or automated tests.