ドキュメントには頻繁に更新が加えられ、その都度公開されています。本ページの翻訳はまだ未完成な部分があることをご了承ください。最新の情報については、英語のドキュメンテーションをご参照ください。本ページの翻訳に問題がある場合はこちらまでご連絡ください。

Configuring automated security fixes

You can use automated or manual pull requests to easily update vulnerable dependencies.

In this article

About automated security fixes

Note: Automatic security fixes are available in beta and are subject to change.

You can enable automated security fixes for any repository that uses security alerts and the dependency graph. We'll automatically enable automated security fixes in every repository that uses security alerts and the dependency graph over the next few months, starting in May 2019. You can disable automated security fixes for an individual repository or for all repositories owned by your user account or organization.

When you receive a security alert about a vulnerable dependency in your repository, you can resolve the vulnerability using an automated security fix in a pull request that corresponds to the security alert. Automated security fixes are available in repositories that use the dependency graph. By default, GitHub automatically creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. If you prefer, you can disable automatic pull requests and manually create pull requests to upgrade dependencies only when you choose to.

Automated security requests contain everything you need to quickly and safely review and merge a proposed fix into your project, including information about the vulnerability like release notes, changelog entries, and commit details.

Automated security fixes are opened by Dependabot on behalf of GitHub. The Dependabot GitHub App is automatically installed on every repository where automated security fixes are enabled.

People with access to your repository's security alerts will see a link to the relevant security alert, although other people with access to the pull request will not be able to see which vulnerablity the pull request resolves.

When you merge a pull request that contains an automated security fix, the corresponding security alert is marked as resolved for your repository.

Note: Automated security fixes resolve security vulnerabilities only. Automated security fixes are not created to resolve vulnerabilities in private registries or packages hosted in private repositories.

About compatibility scores

Automated security fixes also include compatibility scores to let you know whether updating a vulnerability could cause breaking changes to your project. We look at previously-passing CI tests from public repositories where we've generated a given automated security fix to learn whether the update causes tests to fail. An update's compatibility score is the percentage of CI runs that passed when updating between relevant versions of the dependency.

Managing automated security fixes for your repository

You can enable or disable automated security fixes for an individual repository.

Before you can enable automated security fixes, you must enable the dependency graph and security alerts for your repository. For more information, see "Opting into or out of data use for your repository."

  1. GitHub で、リポジトリのメインページへ移動します。

  2. リポジトリ名の下で [ Security] をクリックします。

    セキュリティタブ

  3. Above the list of alerts, use the drop-down menu and select or unselect Automated security fixes.

    Drop-down menu with the option to enable automated security fixes

Managing automated security fixes for your user account

You can disable automated security fixes for all repositories owned by your user account. If you do, you can still enable automated security fixes for individual repositories owned by your user account.

  1. 任意のページの右上で自分のプロフィール画像をクリックし、[Settings] をクリックします。

    ユーザバーの設定アイコン

  2. ユーザ設定のサイドバーで [Security] をクリックします。

    セキュリティ設定のサイドバー

  3. Under "Automated security fixes", select or deselect Opt out of automated security fixes.

    Checkbox to opt out of automated security fixes

  4. Saveをクリックします。

Managing automated security fixes for your organization

Organization owners can disable automated security fixes for all repositories owned by the organization. If you do, anyone with admin permissions to an individual repository owned by the organization can still enable automated security fixes on that repository.

GitHub の右上で、プロフィール画像をクリックし、続いて [Your profile(あなたのプロフィール)] をクリックします。 プロフィール画像

  1. プロフィールページの左側で、[Organizations] の下にある Organization のアイコンをクリックしてください。

    Organization のアイコン

  2. Organization 名の下で、 [Settings] をクリックします。

    Organization の設定ボタン

  3. Organization の設定のサイドバーで [Security] をクリックします。

    セキュリティの設定

  4. Under "Automated security fixes", select or deselect Opt out of automated security fixes.

    Checkbox to opt out of automated security fixes

  5. Saveをクリックします。

Further reading

担当者にお尋ねください

探しているものが見つからなかったでしょうか?

弊社にお問い合わせください