GitHub tracks reported vulnerabilities in certain dependencies and provides security alerts to affected repositories.
About security vulnerabilities
A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. Depending on the severity level and the way your project uses the dependency, vulnerabilities can cause a range of problems for your project or the people who use it. You can track and resolve vulnerabilities for certain types of dependencies in your GitHub repository.
GitHub's security alerts for vulnerable dependencies
GitHub tracks public vulnerabilities in Ruby gems, NPM and Python packages on MITRE's Common Vulnerabilities and Exposures (CVE) List.
When GitHub receives a notification of a newly-announced vulnerability, we identify public repositories (and private repositories that have opted in to vulnerability detection) that use the affected version of the dependency. Then, we send security alerts to owners and people with admin access to affected repositories. You can also configure security alerts for additional people or teams working in organization-owned repositories.
GitHub never publicly discloses identified vulnerabilities for any repository.
We detect vulnerable dependencies in public repositories by default. Owners of and people with admin access to private repositories can also opt into vulnerability detection for the repository. For more information, see "Opting into or out of data use for your private repository."
Configuring and accessing security alerts
Security alerts for vulnerable dependencies list the affected dependency and, in some cases, use machine learning to suggest a fix from the GitHub community. By default, you will receive a weekly email summarizing security alerts for up to 10 of your repositories. You also can choose to receive security alerts individually by email, in a daily digest email, in your web notifications, or in the GitHub user interface. For more information, see "Choosing the delivery method for your notifications."
Learning more about a vulnerability
Security alerts for a vulnerable dependency in your repository include a severity level and a link to the affected file in your project. When available, the alerts also include a link to the CVE record and a suggested fix. The severity level is pulled from the CVE record and is one of four possible levels defined in the Common Vulnerability Scoring System (CVSS), Section 2.1.2:
For more details on the vulnerability, you can read its record on the Common Vulnerabilities and Exposures (CVE) List, including its CVSS scores and corresponding qualitative severity level.
Investigating and resolving a vulnerability in a dependency
GitHub recommends keeping all dependencies up-to-date.
Note: After you learn about a vulnerable dependency in your repository, you should investigate its impact on your project and verify that the vulnerability is resolved by the version change before you update the dependency. If a safe recommended version does not exist, we recommend removing the dependency altogether in favor of a similar, safe dependency, if one is available.
- Read the CVE record to learn more about the vulnerability and its severity level.
- Check to see how the vulnerable dependency is used in your project. If the vulnerability is in code that's actively used in your project, you should prioritize the update. For example, if your project uses a vulnerable dependency in test cases, it may have less risk than a vulnerable dependency that your project uses to directly process user input.
- Check the documentation for the dependency's recommended version to confirm that the recommended version resolves the vulnerability, and to confirm that the new version is backward compatible with your project.
- Confirm that updating the version will completely resolve the vulnerability for your project.
- Open a pull request to update the dependency to the recommended safe version and make any changes needed for compatibility. For more information, see "Viewing and updating vulnerable dependencies in your repository."
- Ensure that all of your project's tests pass and confirm that the functionality you're updating works correctly, then merge the pull request. For more information see, "About status checks."
- Notify project collaborators, owners of any forks of your project, and any projects that depend on yours of the recommended version change and tell them how the previously vulnerable dependency affected your project. For more information, see "Listing the projects that depend on a repository."
Note: GitHub's security features, such as security alerts, do not claim to catch all vulnerabilities. Though we are always trying to update our vulnerability database and alert you with our most up-to-date information, we will not be able to catch everything or alert you to known vulnerabilities within a guaranteed time frame. These features are not substitutes for human review of each dependency for potential vulnerabilities or any other issues, and we recommend consulting with a security service or conducting a thorough vulnerability review when necessary.
- MITRE's definition of "vulnerability"
- "Choosing the delivery method for your notifications"
- "Viewing and updating vulnerable dependencies in your repository"
- "Listing the packages that a repository depends on"
- "Managing alerts for vulnerable dependencies in your organization's repositories"
- "Understanding how GitHub uses and protects your data"