Configuring Dependabot alerts

Enable Dependabot alerts to be generated when a new vulnerable dependency is found in one of your repositories.

Who can use this feature?

Repository administrators, organization owners, and people with write or maintain access
Users and teams with explicit access. See "Granting access to security alert."

About Dependabot alerts for vulnerable dependencies

A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. Vulnerabilities vary in type, severity, and method of attack.

Dependabot scans code when a new advisory is added to the GitHub Advisory Database or the dependency graph for a repository changes. When vulnerable dependencies are detected, Dependabot alerts are generated. For more information, see "About Dependabot alerts."

If you have enabled Dependabot security updates for your repository, the alert may also contain a link to a pull request to update the manifest or lock file to the minimum version that resolves the vulnerability. For more information, see "About Dependabot security updates."

You can enable or disable Dependabot alerts for:

Your personal account
Your repository
Your organization
Your enterprise

Additionally, you can use Dependabot auto-triage rules to manage your alerts at scale, so you can auto-dismiss or snooze alerts, and specify which alerts you want Dependabot to open pull requests for. For information about the different types of auto-triage rules, and whether your repositories are eligible, see "About Dependabot auto-triage rules."

Managing Dependabot alerts for your personal account

Dependabot alerts for your repositories can be enabled or disabled by your enterprise owner. For more information, see "Enabling Dependabot for your enterprise."

Managing Dependabot alerts for your repository

You can manage Dependabot alerts for your public, private or internal repository.

By default, we notify people with write, maintain, or admin permissions in the affected repositories about new Dependabot alerts. GitHub Enterprise Server never publicly discloses insecure dependencies for any repository. You can also make Dependabot alerts visible to additional people or teams working on repositories that you own or have admin permissions for.

An enterprise owner must first set up Dependabot for your enterprise before you can manage Dependabot alerts for your repository. For more information, see "Enabling Dependabot for your enterprise."

Enabling or disabling Dependabot alerts for a repository

On GitHub, navigate to the main page of the repository.
Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.
In the "Security" section of the sidebar, click Code security and analysis.
Under "Code security and analysis", to the right of Dependabot alerts, click Enable to enable alerts or Disable to disable alerts.

Managing Dependabot alerts for your organization

You can enable Dependabot alerts for all eligible repositories in your organization. For more information, see "About enabling security features at scale."

Managing Dependabot alerts for your enterprise

You can enable or disable Dependabot alerts for all current and future repositories owned by organizations in your enterprise. Your changes affect all repositories.

In the top-right corner of GitHub Enterprise Server, click your profile photo, then click Enterprise settings.
On the left side of the page, in the enterprise account sidebar, click Settings.
In the left sidebar, click Code security and analysis.
In the "Dependabot" section, to the right of Dependabot alerts, click Disable all or Enable all.
Optionally, select Automatically enable for new repositories to enable Dependabot alerts by default for your organizations' new repositories.