Skip to content

Latest commit

 

History

History
67 lines (45 loc) · 4.35 KB

File metadata and controls

67 lines (45 loc) · 4.35 KB
title Dependabot malware alerts
shortTitle Malware alerts
intro {% data variables.product.prodname_dependabot_malware_alerts %} help you identify malware in your dependencies to protect your project and its users.
product {% data reusables.gated-features.dependabot-malware-alerts %}
versions
feature
dependabot-malware-alerts
contentType concepts
category
Secure your dependencies
redirect_from
/code-security/concepts/supply-chain-security/dependabot-malware-alerts

Software often relies on packages from various sources, creating dependency relationships that can threaten your project's security. For example, bad actors can use malicious packages to execute malware attacks, gaining access to your code, data, users, and contributors.

To help keep your project secure, {% data variables.product.prodname_dependabot %} can check your dependencies for known malicious packages, then create alerts with suggested remediation steps.

When {% data variables.product.prodname_dependabot %} sends {% data variables.product.prodname_dependabot_malware_alerts_short %}

{% data variables.product.prodname_dependabot %} sends {% data variables.product.prodname_dependabot_malware_alerts_short %} when a package in your repository's default branch is flagged as malicious. Alerts for existing dependencies are generated{% ifversion fpt or ghec %} as soon as the package is flagged on the {% data variables.product.prodname_advisory_database %}{% else %} when new advisory data arrives from {% data variables.product.prodname_dotcom_the_website %} (synced to your instance every hour){% endif %}.

Alerts are also generated when you push commits that add a known malicious package or update a package to a known malicious version.

Note

If the ecosystem, name, and version of an internal package match those of a malicious public package, {% data variables.product.prodname_dependabot %} may generate a false positive alert.

Alert contents

When {% data variables.product.prodname_dependabot %} detects a malicious dependency, a {% data variables.product.prodname_dependabot_malware_alert_short %} appears on the repository's {% data variables.product.prodname_security_and_quality_tab %} tab. Each alert includes:

  • A link to the affected file
  • Details about the malicious package, including the package name, affected versions, and the patched version (when available)
  • Remediation steps

Availability

Currently, {% data variables.product.prodname_dependabot_malware_alerts %} are available for packages in the npm ecosystem.

Alert notifications

By default, {% data variables.product.github %} sends email notifications about new alerts to people who both:

  • Have write, maintain, or admin permissions to a repository
  • Are watching the repository and have enabled notifications for security alerts or for all activity on the repository

{% ifversion fpt or ghec %} On {% data variables.product.prodname_dotcom_the_website %}, you can override the default behavior by choosing the type of notifications you want to receive, or switching notifications off altogether in the settings page for your user notifications at https://github.com/settings/notifications. {% endif %}

If you are concerned about receiving too many notifications, we recommend leveraging {% data variables.dependabot.auto_triage_rules %} to auto-dismiss low-risk alerts. See AUTOTITLE.

Limitations

{% data variables.product.prodname_dependabot_malware_alerts %} have some limitations:

  • Alerts can't catch every security issue. Always review your dependencies and keep manifest and lock files up to date for accurate detection.
  • New malware may take time to appear in the {% data variables.product.prodname_advisory_database %} and trigger alerts.
  • Only advisories reviewed by {% data variables.product.github %} trigger alerts.
  • {% data variables.product.prodname_dependabot %} doesn't scan archived repositories.
  • {% data reusables.dependabot.dependabot-alert-actions-semver %}

{% data variables.product.github %} never publicly discloses malicious dependencies for any repository.

Next steps

To start protecting your project from malicious dependencies, see AUTOTITLE.