You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/code-security/concepts/supply-chain-security/about-dependabot-alerts.md
+19-2Lines changed: 19 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -44,16 +44,33 @@ When {% data variables.product.github %} detects a vulnerable dependency, a {% d
44
44
* Details about the vulnerability and its severity
45
45
* Information about a fixed version (when available)
46
46
47
-
For information about notifications, viewing, and managing alerts, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts).
47
+
For information about viewing and managing alerts, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts).
48
48
49
49
## Enabling alerts
50
50
51
-
Repository administrators and organization owners can enable {% data variables.product.prodname_dependabot_alerts %} for their repositories{% ifversion fpt or ghec %} and organizations{% endif %}. When enabled, {% data variables.product.github %} immediately generates the dependency graph and creates alerts for any vulnerable dependencies it identifies. By default, people with write, maintain, or admin permissions receive notifications.{% ifversion fpt or ghec %} Repository administrators can grant access to additional people or teams.{% endif %}
51
+
Repository administrators and organization owners can enable {% data variables.product.prodname_dependabot_alerts %} for their repositories{% ifversion fpt or ghec %} and organizations{% endif %}. When enabled, {% data variables.product.github %} immediately generates the dependency graph and creates alerts for any vulnerable dependencies it identifies. {% ifversion fpt or ghec %} Repository administrators can grant access to additional people or teams.{% endif %}
52
52
53
53
{% data reusables.repositories.enable-security-alerts %}
54
54
55
55
See [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts).
56
56
57
+
## Notifications for alerts
58
+
59
+
By default, {% data variables.product.github %} sends email notifications about new alerts to people who both:
60
+
61
+
* Have write, maintain, or admin permissions to a repository
62
+
* Are watching the repository and have enabled notifications for security alerts or for all activity on the repository
63
+
64
+
{% ifversion fpt or ghec %}
65
+
You can override the default behavior by choosing the type of notifications you want to receive, or switching notifications off altogether in the settings page for your user notifications at [https://github.com/settings/notifications](https://github.com/settings/notifications).
66
+
{% endif %}
67
+
68
+
Regardless of your notification preferences, when {% data variables.product.prodname_dependabot %} is first enabled, {% data variables.product.github %} does not send notifications for all vulnerable dependencies found in your repository. Instead, you will receive notifications for new vulnerable dependencies identified after {% data variables.product.prodname_dependabot %} is enabled, if your notification preferences allow it.
69
+
70
+
If you are concerned about receiving too many notifications, we recommend leveraging {% data variables.dependabot.auto_triage_rules %} to auto-dismiss low-risk alerts. Rules are applied before alert notifications are sent, so alerts that are auto-dismissed upon creation do not send notifications. See [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules).
71
+
72
+
Alternatively, you can opt into the weekly email digest, or even completely turn off notifications while keeping {% data variables.product.prodname_dependabot_alerts %} enabled.
73
+
57
74
## Limitations
58
75
59
76
{% data variables.product.prodname_dependabot_alerts %} have some limitations:
Copy file name to clipboardExpand all lines: content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-notifications-for-dependabot-alerts.md
+1-26Lines changed: 1 addition & 26 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,31 +21,12 @@ topics:
21
21
contentType: how-tos
22
22
---
23
23
24
-
## About notifications for {% data variables.product.prodname_dependabot_alerts %}
25
-
26
-
When {% data variables.product.prodname_dependabot %} detects vulnerable dependencies in your repositories, we generate a {% data variables.product.prodname_dependabot %} alert and display it on the **Security** tab for the repository. {% data variables.product.github %} notifies the maintainers of affected repositories about the new alert according to their notification preferences.{% ifversion fpt or ghec %} {% data variables.product.prodname_dependabot %} is enabled by default on all public repositories, and needs to be enabled on private repositories. By default, you will receive {% data variables.product.prodname_dependabot_alerts %} by email. You can override the default overall behavior by choosing the type of notifications you want to receive, or switching notifications off altogether in the settings page for your user notifications at [https://github.com/settings/notifications](https://github.com/settings/notifications).
27
-
{% endif %}
28
-
29
-
{% data reusables.dependabot.no-dependabot-alerts-for-malware %}
30
-
31
-
Regardless of your notification preferences, when {% data variables.product.prodname_dependabot %} is first enabled, {% data variables.product.github %} does not send notifications for all vulnerable dependencies found in your repository. Instead, you will receive notifications for new vulnerable dependencies identified after {% data variables.product.prodname_dependabot %} is enabled, if your notification preferences allow it.
32
-
33
-
{% ifversion fpt or ghec %}If you're an organization owner, you can enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories in your organization with one click. You can also set whether {% data variables.product.prodname_dependabot_alerts %} will be enabled or disabled for newly-created repositories. For more information, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-new-repositories-when-they-are-added).
34
-
{% endif %}
35
-
36
-
{% ifversion ghes %}
37
-
By default, if your enterprise owner has configured email for notifications on your enterprise, you will receive {% data variables.product.prodname_dependabot_alerts %} by email.
38
-
39
-
Enterprise owners can also enable {% data variables.product.prodname_dependabot_alerts %} without notifications. For more information, see [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise).
40
-
{% endif %}
24
+
By default, {% data variables.product.github %} sends notifications about new alerts by email to people with write, maintain, or admin permissions to a repository. See [AUTOTITLE](/code-security/concepts/supply-chain-security/about-dependabot-alerts#notifications-for-alerts).
41
25
42
26
## Configuring notifications for {% data variables.product.prodname_dependabot_alerts %}
43
27
44
-
When a new {% data variables.product.prodname_dependabot %} alert is detected, {% data variables.product.github %} notifies all users with access to {% data variables.product.prodname_dependabot_alerts %} for the repository according to their notification preferences. You will receive alerts if you are watching the repository, have enabled notifications for security alerts or for all the activity on the repository, and are not ignoring the repository. For more information, see [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications#configuring-your-watch-settings-for-an-individual-repository).
45
-
46
28
You can configure notification settings for yourself or your organization from the Manage notifications drop-down {% octicon "bell" aria-label="The notifications bell" %} shown at the top of each page. For more information, see [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications#choosing-your-notification-settings).
47
29
48
-
{% data reusables.notifications.vulnerable-dependency-notification-delivery-method-customization2 %}
49
30
{% data reusables.notifications.vulnerable-dependency-notification-options %}
50
31
51
32
{% ifversion update-notification-settings-22 %}
@@ -57,12 +38,6 @@ You can configure notification settings for yourself or your organization from t
57
38
58
39
{% data reusables.repositories.security-alerts-x-github-severity %} For more information, see [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications#filtering-email-notifications).
59
40
60
-
## How to reduce the noise from notifications for {% data variables.product.prodname_dependabot_alerts %}
61
-
62
-
If you are concerned about receiving too many notifications for {% data variables.product.prodname_dependabot_alerts %}, we recommend leveraging {% data variables.dependabot.auto_triage_rules %} to auto-dismiss low-risk alerts. Rules are applied before alert notifications are sent, so alerts that are auto-dismissed upon creation do not send notifications. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules).
63
-
64
-
Alternatively, you can opt into the weekly email digest, or even completely turn off notifications while keeping {% data variables.product.prodname_dependabot_alerts %} enabled. You can still navigate to see your {% data variables.product.prodname_dependabot_alerts %} in your repository's **Security** tab. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts).
Copy file name to clipboardExpand all lines: data/reusables/notifications/vulnerable-dependency-notification-options.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,4 +1,4 @@
1
-
{% ifversion fpt or ghec %}By default, you will receive notifications:{% endif %}{% ifversion ghes %}By default, if your enterprise owner has configured email for notifications on your instance, you will receive {% data variables.product.prodname_dependabot_alerts %}:{% endif %}
1
+
You can choose to receive notifications:
2
2
3
3
* In your inbox, as web notifications. A web notification is sent when {% data variables.product.prodname_dependabot %} is enabled for a repository, when a new manifest file is committed to the repository, and when a new vulnerability with a critical or high severity is found (**On {% data variables.product.prodname_dotcom %}** option).
4
4
* By email. An email is sent when {% data variables.product.prodname_dependabot %} is enabled for a repository, when a new manifest file is committed to the repository, and when a new vulnerability with a critical or high severity is found (**Email** option).
0 commit comments