我们经常发布文档更新,此页面的翻译可能仍在进行中。有关最新信息,请访问英文文档。如果此页面上的翻译有问题,请告诉我们

Configuring automated security updates

您可以使用自动或手动拉取请求轻松更新易受攻击的依赖项。

本文内容

About automated security updates

You can enable automated security updates for any repository that uses security alerts and the dependency graph. You can disable automated security updates for an individual repository or for all repositories owned by your user account or organization.

When you receive a security alert about a vulnerable dependency in your repository, you can resolve the vulnerability using an automated security update in a pull request that corresponds to the security alert. Automated security updates are available in repositories that use the dependency graph. 默认情况下,GitHub 会自动在您的仓库中创建拉取请求,以将易受攻击的依赖项升级到避免漏洞所需的最低安全版本。 如果您愿意,可以禁用自动拉取请求,只在需要时选择手动创建拉取请求以升级依赖项。

自动安全请求包含快速安全地审查并将提议的修复合并到项目中所需的一切,包括有关漏洞的信息,如版本说明、更改日志条目和提交详细信息。

Automated security updates are opened by Dependabot on behalf of GitHub. The Dependabot GitHub 应用程序 is automatically installed on every repository where automated security updates are enabled.

有权访问仓库安全警报的人可以看到指向相关安全警报的链接,但有权访问拉取请求的其他人无法看到拉取请求要解决的漏洞。

When you merge a pull request that contains an automated security update, the corresponding security alert is marked as resolved for your repository.

Note: Automated security updates resolve security vulnerabilities only. Automated security updates are not created to resolve vulnerabilities in private registries or packages hosted in private repositories.

Supported repositories

GitHub automatically enables automated security updates for every repository that meets these requirements.

Note: For repositories created before November 2019, GitHub has automatically enabled automated security updates if the repository meets the following criteria and has received at least one push since May 23, 2019.

Requirement 更多信息
Repository is not a fork "About forks"
Repository is not archived "Archiving repositories"
Repository is public, or repository is private and you have enabled read-only analysis by GitHub, dependency graph, and vulnerability alerts in the repository's settings "Opting into data use for your private repository"
Repository contains dependency manifest file from a package ecosystem that GitHub supports "Supported package ecosystems"
Automated security updates are not disabled for the repository "Managing automated security updates for your repository"
Repository is not already using an integration for dependency management 关于集成

If automated security updates are not enabled for your repository and you don't know why, you can contact support.

关于兼容性分数

Automated security updates also include compatibility scores to let you know whether updating a vulnerability could cause breaking changes to your project. We look at previously-passing CI tests from public repositories where we've generated a given automated security update to learn whether the update causes tests to fail. 更新的兼容性分数是在依赖项的相关版本之间进行更新时,CI 运行被视为通过的百分比。

Managing automated security updates for your repository

You can enable or disable automated security updates for an individual repository.

Automated security updates require specific repository settings. For more information, see "Supported repositories."

  1. 在 GitHub 上,导航到仓库的主页面。

  2. 在仓库名称下,单击 Security(安全)

    Security 选项卡

  3. Above the list of alerts, use the drop-down menu and select or unselect Automated security updates.

    Drop-down menu with the option to enable automated security updates

Managing automated security updates for your user account

You can disable automated security updates for all repositories owned by your user account. If you do, you can still enable automated security updates for individual repositories owned by your user account.

  1. 在任何页面的右上角,单击您的个人资料照片,然后单击 Settings(设置)

    用户栏中的 Settings 图标

  2. 在用户设置侧边栏中,单击 Security(安全)

    安全设置侧边栏

  3. 在“Automated security updates(自动安全更新)”下,选择或取消选择 Opt out of automated security updates(退出自动安全更新)

    选择退出自动安全更新复选框

  4. 单击 Save(保存)

Managing automated security updates for your organization

Organization owners can disable automated security updates for all repositories owned by the organization. If you do, anyone with admin permissions to an individual repository owned by the organization can still enable automated security updates on that repository.

  1. 在 GitHub 的右上角,单击您的个人资料照片,然后单击 Your profile(您的个人资料)

    个人资料照片

  2. 在您的个人资料页面左侧的“Organizations(组织)”下,单击组织的图标。

    组织图标

  3. 在组织名称下,单击 Settings(设置)

    组织设置按钮

  4. 在组织设置侧边栏中,单击 Security(安全)

    安全设置

  5. 在“Automated security updates(自动安全更新)”下,选择或取消选择 Opt out of automated security updates(退出自动安全更新)

    选择退出自动安全更新复选框

  6. 单击 Save(保存)

延伸阅读

问问别人

找不到要找的内容?

联系我们