Software often relies on packages from various sources, creating dependency relationships that can unknowingly introduce security vulnerabilities. When your code depends on packages with known security vulnerabilities, you become a target for attackers seeking to exploit your system—potentially gaining access to your code, data, customers, or contributors. Dependabot alerts notify you about vulnerable dependencies so you can upgrade to secure versions and protect your project.
When Dependabot sends alerts
Dependabot scans your repository's default branch and sends alerts when:
- A new vulnerability is added to the GitHub Advisory Database
- Your dependency graph changes—for example, when you push commits that update packages or versions
For supported ecosystems, see 종속성 그래프에서 지원되는 패키지 에코시스템.
Understanding alerts
When GitHub detects a vulnerable dependency, a Dependabot alert appears on the repository's Security and quality tab and dependency graph. Each alert includes:
- A link to the affected file
- Details about the vulnerability and its severity
- Information about a fixed version (when available)
For information about viewing and managing alerts, see Viewing and updating Dependabot alerts.
Who can enable alerts?
Repository administrators and organization owners can enable Dependabot alerts for their repositories and organizations. When enabled, GitHub immediately generates the dependency graph and creates alerts for any vulnerable dependencies it identifies. Repository administrators can grant access to additional people or teams.
See Configuring Dependabot alerts.
Alert ownership and assignments
Users with write access or higher can assign Dependabot alerts to repository collaborators, teams, or AI agents to establish clear ownership for vulnerability remediation. Assignments help track who's responsible for each alert and prevent vulnerabilities from being overlooked.
You can assign alerts to the following types of agents:
- Copilot, GitHub's built-in AI agent.
- Third-party agents,such as Codex or Claude, when enabled in your repository settings.
When an alert is assigned to a person or team, the assignee receives a notification and the alert displays their name in the alert list. You can filter alerts by assignee to track progress.
When an alert is assigned to an agent, the agent automatically creates a session and opens a draft pull request with a proposed fix. If the agent can't generate a fix, it remains as an assignee, and you can click View Session on the alert timeline to review the agent's log.
참고
Assignment visibility is currently scoped to the repository-level alerts view. The organization-wide security overview does not display alert assignments.
When an alert's assignees change, GitHub sends an assignees_changed webhook event. You can use this event to trigger workflows or sync assignment data with external systems. For more information, see 웹후크 이벤트 및 페이로드.
Automation and integrations
You can manage alert assignments programmatically using the REST API. For more information, see Dependabot alerts에 대한 REST API 엔드포인트.
For information about assigning alerts, see Viewing and updating Dependabot alerts.
How alert notifications work
By default, GitHub sends email notifications about new alerts to people who both:
- Have write, maintain, or admin permissions to a repository
- Are watching the repository and have enabled notifications for security alerts or for all activity on the repository
You can override the default behavior by choosing the type of notifications you want to receive, or switching notifications off altogether in the settings page for your user notifications at https://github.com/settings/notifications.
Regardless of your notification preferences, when Dependabot is first enabled, GitHub does not send notifications for all vulnerable dependencies found in your repository. Instead, you will receive notifications for new vulnerable dependencies identified after Dependabot is enabled, if your notification preferences allow it.
If you are concerned about receiving too many notifications, we recommend leveraging Dependabot 자동 심사 규칙 to auto-dismiss low-risk alerts. Rules are applied before alert notifications are sent, so alerts that are auto-dismissed upon creation do not send notifications. See Dependabot auto-triage rules.
Alternatively, you can opt into the weekly email digest, or even completely turn off notifications while keeping Dependabot alerts enabled.
Limitations
Dependabot alerts have some limitations:
- Alerts can't catch every security issue. Always review your dependencies and keep manifest and lock files up to date for accurate detection.
- New vulnerabilities may take time to appear in the GitHub Advisory Database and trigger alerts.
- Only advisories reviewed by GitHub trigger alerts.
- Dependabot doesn't scan archived repositories.
- GitHub Actions의 경우 SHA 버전 관리가 아닌 의미 체계 버전 관리 작업을 사용하는 작업에 대해서만 경고가 생성됩니다.
GitHub never publicly discloses vulnerabilities for any repository.
깃허브 코파일럿 채팅 integration
With a GitHub Copilot Enterprise license, you can ask 공동 파일럿 채팅 questions about Dependabot alerts in your organization's repositories. For more information, see GitHub에서 GitHub Copilot에 질문하기.