Unlocking security updates for transitive dependencies with npm
How Dependabot integrated with npm to address security vulnerabilities on transitive dependencies and increase the likelihood of success for JavaScript security updates by 40%.
Tag
supply chain security
Dependabot alerts are now visible to more developers
Default settings will allow developers with write and maintain access to see and resolve Dependabot alerts.
A smarter, quieter Dependabot
Dependabot is getting a little smarter—and, a little quieter—by reducing bot-based noise from repositories based on your interaction with Dependabot.
Everything new from GitHub Universe 2022
See what we're building to enhance the most integrated developer platform that allows developers and enterprises to drive innovation with ease.
How to mitigate OWASP vulnerabilities while staying in the flow
Explore how GitHub Advanced Security can help address several of the OWASP Top 10 vulnerabilities
Why we’re excited about the Sigstore general availability
The Sigstore GA means you can protect your software supply chain today with GitHub Actions, and will power new npm security capabilities in the near future.
GitHub’s supply chain security features now support Dart
Cross-platform apps built with the popular Flutter toolkit can now benefit from Dependabot alerts.
5 tips for prioritizing Dependabot alerts
Dependabot alerts can give you the ability to secure your project by keeping dependency-based vulnerabilities out of your code. Here are some tips to more efficiently prioritize and take action on your alerts, so you can get back to building.
SCA vs SAST: what are they and which one is right for you?
We’re taking a look at two commonly-used security tools and detailing how they can help secure your projects.
Dependabot now alerts for vulnerable GitHub Actions
GitHub Actions gives teams access to powerful, native CI/CD capabilities right next to their code hosted in GitHub. Starting today, GitHub will send a Dependabot alert for vulnerable GitHub Actions, making it even easier to stay up to date and fix security vulnerabilities in your actions workflows.
New request for comments on improving npm security with Sigstore is now open
Supply chain attacks exploit our implicit trust of open source to hurt developers and our customers. Read our proposal for how npm will significantly reduce supply chain attacks by signing packages with Sigstore.
All GitHub Enterprise users now have access to the security overview
Today, we’re expanding access to the GitHub security overview! All GitHub Enterprise customers now have access to the security overview, not just those with GitHub Advanced Security. Additionally, all users within an enterprise can now access the security overview, not just admins and security managers.
GitHub now publishes malware advisories in the GitHub Advisory Database
To combat the prevalence of malware in the open source ecosystem, GitHub now publishes malware occurrences in the GitHub Advisory Database. These advisories power Dependabot alerts and remain forever free and usable by the community.
Dependabot Updates hit GA in GHES
Dependabot is generally available in GitHub Enterprise Server 3.5. Here is how to set up Dependabot on your instance.
One developer’s journey bringing Dependabot to GitHub Enterprise Server
A personal story about building the feature you want and sharing it with the world.
GitHub brings supply chain security features to the Rust community
The Rust community can now discover, report, and prevent security vulnerabilities.