It’s now easier to configure Dependabot and code scanning for organizations that rely on multiple internal package feeds.

Previously, organization-level settings only allowed a single private registry configuration per ecosystem type (e.g., one Maven registry, one npm registry). Now, you can register all of your private feeds for the same ecosystem at the organization level.

Key highlights include the following:

  • Multiple registries per ecosystem: Add as many private registries as you need for npm, Maven, NuGet, Docker, pip, RubyGems, and all other supported ecosystems directly from your organization’s security settings.
  • OIDC authentication support: Configure OIDC-based authentication for org-level private registries through both the UI and REST API, with support for Azure DevOps Artifacts, AWS CodeArtifact, and JFrog Artifactory.

This feature is available now on github.com and GitHub Enterprise Cloud. It’ll also be available on GitHub Enterprise Server starting with GHES 3.24.

Learn more about configuring Dependabot access to private registries configuring code scanning access to private registries. You can also join the discussion in GitHub Community.