Dependabot 恶意软件警报

Dependabot malware alerts 可以帮助你识别依赖项中的恶意软件,从而保护你的项目及其用户。

谁可以使用此功能?

启用了 Dependabot alerts 的存储库

在本文中

Software often relies on packages from various sources, creating dependency relationships that can threaten your project's security. For example, bad actors can use malicious packages to execute malware attacks, gaining access to your code, data, users, and contributors.

To help keep your project secure, Dependabot can check your dependencies for known malicious packages, then create alerts with suggested remediation steps.

When Dependabot sends malware alerts

Dependabot sends malware alerts when a package in your repository's default branch is flagged as malicious. Alerts for existing dependencies are generated as soon as the package is flagged on the GitHub Advisory Database.

Alerts are also generated when you push commits that add a known malicious package or update a package to a known malicious version.

注意

If the ecosystem, name, and version of an internal package match those of a malicious public package, Dependabot may generate a false positive alert.

Alert contents

When Dependabot detects a malicious dependency, a malware alert appears on the repository's Security tab. Each alert includes:

  • A link to the affected file
  • Details about the malicious package, including the package name, affected versions, and the patched version (when available)
  • Remediation steps

Availability

Currently, Dependabot malware alerts are available for packages in the npm ecosystem.

Alert notifications

By default, GitHub sends email notifications about new alerts to people who both:

  • Have write, maintain, or admin permissions to a repository
  • Are watching the repository and have enabled notifications for security alerts or for all activity on the repository

On GitHub.com, you can override the default behavior by choosing the type of notifications you want to receive, or switching notifications off altogether in the settings page for your user notifications at https://github.com/settings/notifications.

If you are concerned about receiving too many notifications, we recommend leveraging Dependabot auto-triage rules to auto-dismiss low-risk alerts. See About Dependabot auto-triage rules.

Limitations

Dependabot malware alerts have some limitations:

  • Alerts can't catch every security issue. Always review your dependencies and keep manifest and lock files up to date for accurate detection.
  • New malware may take time to appear in the GitHub Advisory Database and trigger alerts.
  • Only advisories reviewed by GitHub trigger alerts.
  • Dependabot doesn't scan archived repositories.
  • For GitHub Actions, alerts are only generated for actions that use semantic versioning, not SHA versioning.

GitHub never publicly discloses malicious dependencies for any repository.

Next steps

To start protecting your project from malicious dependencies, see Configuring Dependabot malware alerts.