Skip to main content
We publish frequent updates to our documentation, and translation of this page may still be in progress. For the most current information, please visit the English documentation.
All products
コードセキュリティ

脆弱な依存関係とマルウェアに関する Dependabot alertsについて

In this article

脆弱性とは、プロジェクトあるいはそのコードを利用する他のプロジェクトにおいて、秘密性、一貫性、可用性を損なうために悪用されうる、プロジェクトコードの問題です。 脆弱性の種類、重要度、攻撃の方法は様々です。

About Dependabot alerts for vulnerable dependencies and malware

A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. Vulnerabilities vary in type, severity, and method of attack.

Dependabot scans code when a new advisory is added to the GitHub Advisory Database or the dependency graph for a repository changes. When vulnerable dependencies or malware are detected, Dependabot alerts are generated. For more information, see "About Dependabot alerts."

You can enable or disable Dependabot alerts for:

  • Your personal account
  • Your repository
  • Your organization

Managing Dependabot alerts for your personal account

You can enable or disable Dependabot alerts for all repositories owned by your personal account.

Enabling or disabling Dependabot alerts for existing repositories

  1. In the upper-right corner of any page, click your profile photo, then click Settings.

    Screenshot of dropdown menu for the user profile icon. The "Settings" option is highlighted in a dark orange outline.

  2. In the "Security" section of the sidebar, click Code security and analysis.

  3. Under "Code security and analysis", to the right of Dependabot alerts, click Disable all or Enable all. Screenshot of "Configure security and analysis" features with "Enable all" or "Disable all" buttons emphasized

  4. Optionally, enable Dependabot alerts by default for new repositories that you create. Screenshot of "Enable Dependabot alerts" with "Enable by default for new private repositories" checkbox emphasized

  5. Click Disable Dependabot alerts or Enable Dependabot alerts to disable or enable Dependabot alerts for all the repositories you own. Screenshot of "Enable Dependabot alerts" with "Enable Dependabot alerts" button emphasized

When you enable Dependabot alerts for existing repositories, you will see any results displayed on GitHub within minutes.

Enabling or disabling Dependabot alerts for new repositories

  1. In the upper-right corner of any page, click your profile photo, then click Settings.

    Screenshot of dropdown menu for the user profile icon. The "Settings" option is highlighted in a dark orange outline.

  2. In the "Security" section of the sidebar, click Code security and analysis.

  3. Under "Code security and analysis", to the right of Dependabot alerts, enable or disable Dependabot alerts by default for new repositories that you create. Screenshot of "Configure security and analysis" with "Enable for all new private repositories" check emphasized

Managing Dependabot alerts for your repository

You can manage Dependabot alerts for your public, private or internal repository.

By default, we notify people with admin permissions in the affected repositories about new Dependabot alerts. GitHub never publicly discloses insecure dependencies for any repository. You can also make Dependabot alerts visible to additional people or teams working on repositories that you own or have admin permissions for.

If you enable security and analysis features, GitHub performs read-only analysis on your repository. For more information, see "About GitHub's use of your data."

Enabling or disabling Dependabot alerts for a repository

  1. On GitHub.com, navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. Under "Code security and analysis", to the right of Dependabot alerts, click Enable to enable alerts or Disable to disable alerts. Screenshot of "Code security and analysis" section with button to enable Dependabot security updates

Managing Dependabot alerts for your organization

You can enable or disable Dependabot alerts for all repositories owned by your organization. Your changes affect all repositories.

Enabling or disabling Dependabot alerts for all existing repositories

  1. In the top right corner of GitHub.com, click your profile photo, then click Your organizations.

    Screenshot of the dropdown menu under @octocat's profile picture. "Your organizations" is outlined in dark orange.

  2. Next to the organization, click Settings.

    Screenshot of the "octo-org" organization with the "Settings" button highlighted with a dark orange outline.

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. Under "Code security and analysis", to the right of Dependabot alerts, click Disable all or Enable all.

    Screenshot of "Configure security and analysis" features with the "Enable all" or "Disable all" button emphasized for Dependabot alerts

  5. Optionally, enable Dependabot alerts by default for new repositories in your organization.

    Screenshot of "Enable by default" option for new repositories

  6. Click Disable Dependabot alerts or Enable Dependabot alerts to disable or enable Dependabot alerts for all the repositories in your organization.

    Screenshot of "Enable Dependabot alerts" modal with button to disable or enable feature emphasized