About alerts for vulnerable dependencies on GitHub Enterprise Server
To identify vulnerable dependencies in your repository and receive alerts about vulnerabilities, you need to enable two security features:
- The dependency graph
- Dependabot alerts
For more information, see "About the dependency graph" and "About alerts for vulnerable dependencies."
We add vulnerabilities to the GitHub Advisory Database from the following sources:
- Die National Vulnerability Database (Nationale Sicherheitsrisiken-Datenbank)
- Eine Kombination aus maschinellem Lernen und menschlichem Review zum Erkennen von Sicherheitsrisiken in öffentlichen Commits auf GitHub
- Security advisories reported on GitHub
- The npm Security advisories database
You can connect your GitHub Enterprise Server instance to GitHub.com, then sync vulnerability data to your instance and generate Dependabot alerts in repositories with a vulnerable dependency.
After connecting your GitHub Enterprise Server instance to GitHub.com and enabling the dependency graph and Dependabot alerts for vulnerable dependencies, vulnerability data is synced from GitHub.com to your instance once every hour. Sie können die Schwachstellendaten auch jederzeit manuell synchronisieren. Es werden weder Code noch Informationen zu Code von your GitHub Enterprise Server instance auf GitHub.com hochgeladen.
When your GitHub Enterprise Server instance receives information about a vulnerability, it will identify repositories in your instance that use the affected version of the dependency and generate Dependabot alerts. You can customize how you receive Dependabot alerts. For more information, see "Configuring notifications for vulnerable dependencies."
Before enabling the dependency graph and Dependabot alerts for vulnerable dependencies on your GitHub Enterprise Server instance, you must connect your GitHub Enterprise Server instance to GitHub.com. For more information, see "Connecting your enterprise account to GitHub Enterprise Cloud."
Enabling the dependency graph and Dependabot alerts on GitHub Enterprise Server
For your GitHub Enterprise Server instance to generate Dependabot alerts whenever vulnerabilities are detected on your repositories:
- You must connect your GitHub Enterprise Server instance to GitHub.com. Weitere Informationen finden Sie unter „GitHub Enterprise Server mit GitHub Enterprise Cloud verbinden“.
- You must enable the dependency graph.
Enabling the dependency graph
-
Melde Dich unter
http(s)://HOSTNAME/login
bei your GitHub Enterprise Server instance an. -
In the administrative shell, enable the dependency graph on your GitHub Enterprise Server instance:
$ ghe-config app.github.dependency-graph-enabled true
Note: For more information about enabling access to the administrative shell via SSH, see "Accessing the administrative shell (SSH)."
-
Apply the configuration.
$ ghe-config-apply
-
Kehren Sie zu GitHub Enterprise Server zurück.
Dependabot alerts aktivieren
Before enabling Dependabot alerts for your instance, you need to enable the dependency graph. For more information, see above.
-
In the top-right corner of GitHub Enterprise Server, click your profile photo, then click Enterprise settings.
-
Klicke in der Seitenleiste des Enterprise-Kontos auf Settings (Einstellungen).
-
Klicken Sie auf der linken Seitenleiste auf GitHub Connect.
-
Under "Repositories can be scanned for vulnerabilities", use the drop-down menu and select Enabled without notifications. Optionally, to enable alerts with notifications, select Enabled with notifications.
We recommend configuring Dependabot alerts without notifications for the first few days to avoid an overload of emails. After a few days, you can enable notifications to receive Dependabot alerts as usual.
Angreifbare Abhängigkeiten auf GitHub Enterprise Server anzeigen
Sie können alle Schwachstellen in your GitHub Enterprise Server instance anzeigen und Schwachstellendaten von GitHub.com manuell synchronisieren, um die Liste zu aktualisieren.
- From an administrative account on GitHub Enterprise Server, click in the upper-right corner of any page.
- Klicken Sie auf der linken Seitenleiste auf Vulnerabilities (Schwachstellen).
- Klicken Sie zum Synchronisieren von Schwachstellendaten auf Sync Vulnerabilities now (Schwachstellen jetzt synchronisieren).