Software often relies on packages from various sources, creating dependency relationships that can unknowingly introduce security vulnerabilities. When your code depends on packages with known security vulnerabilities, you become a target for attackers seeking to exploit your system—potentially gaining access to your code, data, customers, or contributors. Dependabot alerts notify you about vulnerable dependencies so you can upgrade to secure versions and protect your project.
When Dependabot sends alerts
Dependabot scans your repository's default branch and sends alerts when:
- New advisory data is synchronized to GitHub each hour from GitHub.com. 詳しくは、「GitHub Advisory Database でのセキュリティ アドバイザリの参照」をご覧ください。
- Your dependency graph changes—for example, when you push commits that update packages or versions
For supported ecosystems, see 依存関係グラフがサポートされるパッケージ エコシステム.
Understanding alerts
When GitHub detects a vulnerable dependency, a Dependabot alert appears on the repository's Security tab and dependency graph. Each alert includes:
- A link to the affected file
- Details about the vulnerability and its severity
- Information about a fixed version (when available)
For information about viewing and managing alerts, see Dependabot アラートの表示と更新.
Who can enable alerts?
Repository administrators and organization owners can enable Dependabot alerts for their repositories. When enabled, GitHub immediately generates the dependency graph and creates alerts for any vulnerable dependencies it identifies.
この機能を使うには、Enterprise 所有者が Dependabot alerts の お使いの GitHub Enterprise Server インスタンス を有効にする必要があります。 詳しくは、「エンタープライズ向けの Dependabot の有効化」をご覧ください。
See Dependabot アラートの構成.
How alert notifications work
By default, GitHub sends email notifications about new alerts to people who both:
- Have write, maintain, or admin permissions to a repository
- Are watching the repository and have enabled notifications for security alerts or for all activity on the repository
Regardless of your notification preferences, when Dependabot is first enabled, GitHub does not send notifications for all vulnerable dependencies found in your repository. Instead, you will receive notifications for new vulnerable dependencies identified after Dependabot is enabled, if your notification preferences allow it.
If you are concerned about receiving too many notifications, we recommend leveraging Dependabot 自動トリアージ ルール to auto-dismiss low-risk alerts. Rules are applied before alert notifications are sent, so alerts that are auto-dismissed upon creation do not send notifications. See Dependabot 自動優先順位設定ルール.
Alternatively, you can opt into the weekly email digest, or even completely turn off notifications while keeping Dependabot alerts enabled.
Limitations
Dependabot alerts have some limitations:
- Alerts can't catch every security issue. Always review your dependencies and keep manifest and lock files up to date for accurate detection.
- New vulnerabilities may take time to appear in the GitHub Advisory Database and trigger alerts.
- Only advisories reviewed by GitHub trigger alerts.
- Dependabot doesn't scan archived repositories.
- Dependabot doesn't generate alerts for malware.
- GitHub Actions、アラートは、SHA バージョン管理ではなく、セマンティック バージョン管理を使用するアクションに対してのみ生成されます。