ドキュメントには頻繁に更新が加えられ、その都度公開されています。本ページの翻訳はまだ未完成な部分があることをご了承ください。最新の情報については、英語のドキュメンテーションをご参照ください。本ページの翻訳に問題がある場合はこちらまでご連絡ください。

Configuring GitHub Dependabot security updates

You can use GitHub Dependabot security updates or manual pull requests to easily update vulnerable dependencies.

ここには以下の内容があります:

About GitHub Dependabot security updates

You can enable GitHub Dependabot security updates for any repository that uses security alerts and the dependency graph. You can disable GitHub Dependabot security updates for an individual repository or for all repositories owned by your user account or organization.

When you receive a security alert about a vulnerable dependency in your repository, you can resolve the vulnerability using a security update in a pull request generated by GitHub Dependabot. Security updates are available in repositories that use the dependency graph. By default, GitHub Dependabot automatically creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. If you prefer, you can disable automatic pull requests and manually create pull requests to upgrade dependencies only when you choose to.

Security updates contain everything you need to quickly and safely review and merge a proposed fix into your project, including information about the vulnerability like release notes, changelog entries, and commit details.

Security updates are opened by GitHub Dependabot. GitHub Dependabot GitHub App is automatically installed on every repository where security updates are enabled.

People with access to your repository's security alerts will see a link to the relevant security alert, although other people with access to the pull request will not be able to see which vulnerablity the pull request resolves.

When you merge a pull request that contains a security update, the corresponding security alert is marked as resolved for your repository.

Note: GitHub Dependabot security updates only resolve security vulnerabilities in your dependencies. Security updates are not created to resolve vulnerabilities in private registries or packages hosted in private repositories.

Supported repositories

GitHub automatically enables GitHub Dependabot security updates for every repository that meets these requirements.

Note: For repositories created before November 2019, GitHub has automatically enabled GitHub Dependabot security updates if the repository meets the following criteria and has received at least one push since May 23, 2019.

RequirementMore information
Repository is not a fork"About forks"
Repository is not archived"Archiving repositories"
Repository is public, or repository is private and you have enabled read-only analysis by GitHub, dependency graph, and vulnerability alerts in the repository's settings"Opting into data use for your private repository"
Repository contains dependency manifest file from a package ecosystem that GitHub supports"Supported package ecosystems"
GitHub Dependabot security updates are not disabled for the repository"Managing GitHub Dependabot security updates for your repository"
Repository is not already using an integration for dependency management"About integrations"

If security updates are not enabled for your repository and you don't know why, you can contact support.

About compatibility scores

GitHub Dependabot security updates also include compatibility scores to let you know whether updating a vulnerability could cause breaking changes to your project. We look at previously-passing CI tests from public repositories where we've generated a given security update to learn whether the update causes tests to fail. An update's compatibility score is the percentage of CI runs that passed when updating between relevant versions of the dependency.

Managing GitHub Dependabot security updates for your repository

You can enable or disable GitHub Dependabot security updates for an individual repository.

GitHub Dependabot security updates require specific repository settings. For more information, see "Supported repositories."

Note: The code scanning and secret scanning beta includes a new experience for managing security and analysis settings. If you're participating in the beta, skip the following steps and see "Managing security and analysis settings for your repository."

  1. GitHubで、リポジトリのメインページにアクセスしてください。
  2. リポジトリ名の下で Security(セキュリティ)をクリックしてください。
    セキュリティのタブ
  3. In the security sidebar, click Dependabot alerts.
    Dependabot alerts tab
  4. Above the list of alerts, use the drop-down menu and select or unselect Dependabot security updates.
    Drop-down menu with the option to enable GitHub Dependabot security updates

Managing GitHub Dependabot security updates for your user account

You can disable GitHub Dependabot security updates for all repositories owned by your user account. If you do, you can still enable GitHub Dependabot security updates for individual repositories owned by your user account.

  1. 任意のページの右上で、プロフィール画像をクリックし、続いてSettings(設定)をクリックしてください。
    ユーザバーの [Settings(設定)] アイコン
  2. ユーザ設定サイドバーでSecurity(セキュリティ)をクリックしてください。
    セキュリティ設定サイドバー
  3. Under "Dependabot security updates", select or deselect Opt out of Dependabot security updates.
    Checkbox to opt out of Dependabot security updates
  4. Click Save.

Managing GitHub Dependabot security updates for your organization

Organization owners can disable GitHub Dependabot security updates for all repositories owned by the organization. If you do, anyone with admin permissions to an individual repository owned by the organization can still enable GitHub Dependabot security updates on that repository.

Note: The code scanning and secret scanning beta includes a new experience for managing security and analysis settings. If you're participating in the beta, skip the following steps and see "Managing security and analysis settings for your repository."

  1. GitHubの右上で、プロフィール画像をクリックし、続いてYour profile(あなたのプロフィール)をクリックしてください。
    プロフィール画像
  2. プロフィールページの左側で、"Organizations"の下であなたのOrganizationのアイコンをクリックしてください。
    organizationのアイコン
  3. Organization名の下で、Settings(設定)をクリックしてください。
    Organizationの設定ボタン
  4. Organizationの設定サイドバーで、Security(セキュリティ)をクリックしてください。
    セキュリティ設定
  5. Under "Dependabot security updates", select or deselect Opt out of Dependabot security updates.
    Checkbox to opt out of Dependabot security updates
  6. Click Save.

Further reading

担当者にお尋ねください

探しているものが見つからなかったでしょうか?

弊社にお問い合わせください