ドキュメントには頻繁に更新が加えられ、その都度公開されています。本ページの翻訳はまだ未完成な部分があることをご了承ください。最新の情報については、英語のドキュメンテーションをご参照ください。本ページの翻訳に問題がある場合はこちらまでご連絡ください。

Configuring automated security updates

自動または手動のプルリクエストを使って、脆弱性のある依存対象を簡単に更新できます。

ここには以下の内容があります:

About automated security updates

You can enable automated security updates for any repository that uses security alerts and the dependency graph. You can disable automated security updates for an individual repository or for all repositories owned by your user account or organization.

When you receive a security alert about a vulnerable dependency in your repository, you can resolve the vulnerability using an automated security update in a pull request that corresponds to the security alert. Automated security updates are available in repositories that use the dependency graph. デフォルトでは、GitHub は、脆弱性のある依存関係を、脆弱性を避けるために必要な、可能な限り最小のバージョンに更新するため、リポジトリ内に自動的にプルリクエストを作成します。 自動的なプルリクエストを無効にし、手動でプルリクエストを作成して任意で脆弱性を更新するようにすることもできます。

自動的なセキュリティリクエストには、リリースノート、変更ログのエントリ、コミットの詳細などの、脆弱性についての情報を含めて、提案された修正を素早く安全にレビューしマージするために必要なものがすべて含まれています。

Automated security updates are opened by Dependabot on behalf of GitHub. The Dependabot GitHub App is automatically installed on every repository where automated security updates are enabled.

リポジトリのセキュリティアラートにアクセスできる人には、関連するセキュリティアラートのリンクが表示されます。ただし、リポジトリのセキュリティアラートにアクセスできないがプルリクエストにはアクセスできる人は、プルリクエストがどの脆弱性を解決するかを見ることはできません。

When you merge a pull request that contains an automated security update, the corresponding security alert is marked as resolved for your repository.

Note: Automated security updates resolve security vulnerabilities only. Automated security updates are not created to resolve vulnerabilities in private registries or packages hosted in private repositories.

Supported repositories

GitHub automatically enables automated security updates for every repository that meets these requirements.

Note: For repositories created before November 2019, GitHub has automatically enabled automated security updates if the repository meets the following criteria and has received at least one push since May 23, 2019.

Requirement 詳細
Repository is not a fork "About forks"
Repository is not archived "Archiving repositories"
Repository is public, or repository is private and you have enabled read-only analysis by GitHub, dependency graph, and vulnerability alerts in the repository's settings "Opting into data use for your private repository"
Repository contains dependency manifest file from a package ecosystem that GitHub supports "Supported package ecosystems"
Automated security updates are not disabled for the repository "Managing automated security updates for your repository"
Repository is not already using an integration for dependency management "インテグレーションについて"

If automated security updates are not enabled for your repository and you don't know why, you can contact support.

互換性スコアについて

Automated security updates also include compatibility scores to let you know whether updating a vulnerability could cause breaking changes to your project. We look at previously-passing CI tests from public repositories where we've generated a given automated security update to learn whether the update causes tests to fail. 更新の互換性スコアは、依存関係に関するバージョンの更新前後で、実行した CI がパスした割合です。

Managing automated security updates for your repository

You can enable or disable automated security updates for an individual repository.

Automated security updates require specific repository settings. For more information, see "Supported repositories."

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Security.

    セキュリティのタブ

  3. Above the list of alerts, use the drop-down menu and select or unselect Automated security updates.

    Drop-down menu with the option to enable automated security updates

Managing automated security updates for your user account

You can disable automated security updates for all repositories owned by your user account. If you do, you can still enable automated security updates for individual repositories owned by your user account.

  1. In the upper-right corner of any page, click your profile photo, then click Settings.

    ユーザバーの [Settings(設定)] アイコン

  2. In the user settings sidebar, click Security.

    Security settings sidebar

  3. Under "Automated security updates", select or deselect Opt out of automated security updates.

    Checkbox to opt out of automated security updates

  4. Saveをクリックします。

Managing automated security updates for your organization

Organization owners can disable automated security updates for all repositories owned by the organization. If you do, anyone with admin permissions to an individual repository owned by the organization can still enable automated security updates on that repository.

  1. In the top right corner of GitHub, click your profile photo, then click Your profile.

    Profile photo

  2. On the left side of your profile page, under "Organizations", click the icon for your organization.

    organization icons

  3. Under your organization name, click Settings.

    Organization settings button

  4. In the organization settings sidebar, click Security.

    Security settings

  5. Under "Automated security updates", select or deselect Opt out of automated security updates.

    Checkbox to opt out of automated security updates

  6. Saveをクリックします。

参考リンク

担当者にお尋ねください

探しているものが見つからなかったでしょうか?

弊社にお問い合わせください