GitHub helps you secure your supply chain, from understanding the dependencies in your environment, to knowing about vulnerabilities in those dependencies, and patching them.
When developing a software project, you likely use other software to build and run your application, such as open-source libraries, frameworks or other tools. These resources are collectively referred to as your “dependencies”, because your project depends on them to function properly. Your project could rely on hundreds of these dependencies, forming what is known as your "supply chain".
Your supply chain can pose a security problem. If one of your dependencies has a known security weakness or a bug, malicious actors could exploit this vulnerability to, for example, insert malicious code ("malware"), steal sensitive data, or cause some other type of disruption to your project. This type of threat is called a "supply chain attack". Having vulnerable dependencies in your supply chain compromises the security of your own project, and you put your users at risk, too.
One of the most important things you can do to protect your supply chain is to patch your vulnerable dependencies and replace any malware.
You add dependencies directly to your supply chain when you specify them in a manifest file or a lockfile. Dependencies can also be included transitively, that is, even if you don’t specify a particular dependency, but a dependency of yours uses it, then you’re also dependent on that dependency.
GitHub offers a range of features to help you understand the dependencies in your environment, know about vulnerabilities in those dependencies, and patch them.
The supply chain features on GitHub are:
The dependency graph is central to supply chain security. The dependency graph identifies all upstream dependencies and public downstream dependents of a repository or package. You can see your repository’s dependencies and some of their properties, like vulnerability information, on the dependency graph for the repository.
Other supply chain features on GitHub rely on the information provided by the dependency graph.
Dependabot version updates don't use the dependency graph and rely on the semantic versioning of dependencies instead. Dependabot version updates help you keep your dependencies updated, even when they don’t have any vulnerabilities.
For best practice guides on end-to-end supply chain security including the protection of personal accounts, code, and build processes, see Securing your end-to-end supply chain.
To generate the dependency graph, GitHub looks at a repository’s explicit dependencies declared in the manifest and lockfiles. When enabled, the dependency graph automatically parses all known package manifest files in the repository, and uses this to construct a graph with known dependency names and versions.
Additionally, you can use the dependency submission API to submit dependencies from the package manager or ecosystem of your choice, even if the ecosystem is not supported by dependency graph for manifest or lock file analysis. Dependencies submitted to a project using the dependency submission API will show which detector was used for their submission and when they were submitted. For more information on the dependency submission API, see Using the dependency submission API.
For more information about the dependency graph, see About the dependency graph.
Dependency review helps reviewers and contributors understand dependency changes and their security impact in every pull request.
For more information about dependency review, see About dependency review.
Dependabot keeps your dependencies up to date by informing you of any security vulnerabilities in your dependencies, and automatically opens pull requests to upgrade your dependencies to the next available secure version when a Dependabot alert is triggered, or to the latest version when a release is published.
The term "Dependabot" encompasses the following features:
Pull requests opened by Dependabot can trigger workflows that run actions. For more information, see Automating Dependabot with GitHub Actions.
By default:
If GitHub Actions is enabled for the repository, GitHub runs Dependabot updates on GitHub Actions.
If GitHub Actions is not enabled for the repository, GitHub generates Dependabot alerts using its built-in Dependabot application.
For more information, see About Dependabot on GitHub Actions runners.
Dependabot security updates can fix vulnerable dependencies in GitHub Actions. When security updates are enabled, Dependabot will automatically raise a pull request to update vulnerable GitHub Actions used in your workflows to the minimum patched version. For more information, see About Dependabot security updates.
Dependabot alerts highlight repositories affected by a newly discovered vulnerability based on the dependency graph and the GitHub Advisory Database, which contains advisories for known vulnerabilities.
Dependabot performs a scan to detect insecure dependencies and sends Dependabot alerts when:
Dependabot alerts are displayed on the Security tab for the repository and in the repository's dependency graph. The alert includes a link to the affected file in the project, and information about a fixed version.
For more information, see About Dependabot alerts.
There are two types of Dependabot updates: Dependabot security updates and version updates. Dependabot generates automatic pull requests to update your dependencies in both cases, but there are several differences.
Dependabot security updates:
Dependabot version updates:
For more information about Dependabot updates, see About Dependabot version updates.
Public repositories:
Private repositories:
Dependency graph: Not enabled by default. The feature can be enabled by repository administrators. For more information, see Exploring the dependencies of a repository.
Dependency review: Available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security. For more information, see the GitHub Enterprise Cloud documentation.
Dependabot alerts: Not enabled by default. Owners of private repositories, or people with admin access, can enable Dependabot alerts by enabling the dependency graph and Dependabot alerts for their repositories. You can also enable or disable Dependabot alerts for all repositories owned by your user account or organization. For more information, see Managing security and analysis settings for your personal account or Managing security and analysis settings for your organization.
Any repository type: