ドキュメントには頻繁に更新が加えられ、その都度公開されています。本ページの翻訳はまだ未完成な部分があることをご了承ください。最新の情報については、英語のドキュメンテーションをご参照ください。本ページの翻訳に問題がある場合はこちらまでご連絡ください。

About GitHub Security Advisories

You can use GitHub Security Advisories to privately discuss, fix, and publish information about security vulnerabilities in your repository.

リポジトリに対する管理者権限があるユーザなら誰でも、セキュリティアドバイザリを作成できます。

Anyone with admin permissions to a repository also has admin permissions to all security advisories in that repository. People with admin permissions to a security advisory can add collaborators, and collaborators have write permissions to the security advisory.

ここには以下の内容があります:

GitHub Security Advisories について

GitHub Security Advisories allows repository maintainers to privately discuss and fix a security vulnerability in a project. After collaborating on a fix, repository maintainers can publish the security advisory to publicly disclose the security vulnerability to the project's community. By publishing security advisories, repository maintainers make it easier for their community to update package dependencies and research the impact of the security vulnerabilities.

With GitHub Security Advisories, you can:

  1. Create a draft security advisory, and use the draft to privately discuss the impact of the vulnerability on your project.
  2. 一時的なプライベートフォークで、脆弱性を修正するため非公式でコラボレートします。
  3. Publish the security advisory to alert your community of the vulnerability.

To get started, see "Creating a security advisory."

You can create a security policy to give people instructions for responsibly reporting security vulnerabilities in your project. For more information, see "Adding a security policy to your repository."

You can also join GitHub Security Lab to browse security-related topics and contribute to security tools and projects.

CVE identification numbers

GitHub Security Advisories builds upon the foundation of the Common Vulnerabilities and Exposures (CVE) list. GitHub is a CVE Numbering Authority (CNA) and is authorized to assign CVE identification numbers. For more information, see "About CVE" and "CVE Numbering Authorities" on the CVE website.

When you create a security advisory for a public repository on GitHub, you have the option of providing an existing CVE identification number for the security vulnerability. If you don't already have a CVE identification number for the security vulnerability in your project, you can request a CVE identification number from GitHub. Assigning a CVE identification number generally takes 72 hours or less. For more information, see "Publishing a security advisory."

Security alerts for published security advisories

GitHub will review each published security advisory, add it to the GitHub Advisory Database, and may use the security advisory to send security alerts to affected repositories. If the security advisory comes from a fork, we'll only send an alert if the fork owns a package, published under a unique name, on a public package registry. This process can take up to 72 hours and GitHub may contact you for more information.

For more information about security alerts, see "About security alerts for vulnerable dependencies." For more information about GitHub Advisory Database, see "Browsing security vulnerabilities in the GitHub Advisory Database."

担当者にお尋ねください

探しているものが見つからなかったでしょうか?

弊社にお問い合わせください