| title | Dependabot malware alerts | ||
|---|---|---|---|
| shortTitle | Malware alerts | ||
| intro | {% data variables.product.prodname_dependabot_malware_alerts %} help you identify malware in your dependencies to protect your project and its users. | ||
| product | {% data reusables.gated-features.dependabot-malware-alerts %} | ||
| versions |
|
||
| contentType | concepts | ||
| category |
|
||
| redirect_from |
|
Software often relies on packages from various sources, creating dependency relationships that can threaten your project's security. For example, bad actors can use malicious packages to execute malware attacks, gaining access to your code, data, users, and contributors.
To help keep your project secure, {% data variables.product.prodname_dependabot %} can check your dependencies for known malicious packages, then create alerts with suggested remediation steps.
When {% data variables.product.prodname_dependabot %} sends {% data variables.product.prodname_dependabot_malware_alerts_short %}
{% data variables.product.prodname_dependabot %} sends {% data variables.product.prodname_dependabot_malware_alerts_short %} when a package in your repository's default branch is flagged as malicious. Alerts for existing dependencies are generated{% ifversion fpt or ghec %} as soon as the package is flagged on the {% data variables.product.prodname_advisory_database %}{% else %} when new advisory data arrives from {% data variables.product.prodname_dotcom_the_website %} (synced to your instance every hour){% endif %}.
Alerts are also generated when you push commits that add a known malicious package or update a package to a known malicious version.
Note
If the ecosystem, name, and version of an internal package match those of a malicious public package, {% data variables.product.prodname_dependabot %} may generate a false positive alert.
When {% data variables.product.prodname_dependabot %} detects a malicious dependency, a {% data variables.product.prodname_dependabot_malware_alert_short %} appears on the repository's {% data variables.product.prodname_security_and_quality_tab %} tab. Each alert includes:
- A link to the affected file
- Details about the malicious package, including the package name, affected versions, and the patched version (when available)
- Remediation steps
Currently, {% data variables.product.prodname_dependabot_malware_alerts %} are available for packages in the npm ecosystem.
By default, {% data variables.product.github %} sends email notifications about new alerts to people who both:
- Have write, maintain, or admin permissions to a repository
- Are watching the repository and have enabled notifications for security alerts or for all activity on the repository
{% ifversion fpt or ghec %} On {% data variables.product.prodname_dotcom_the_website %}, you can override the default behavior by choosing the type of notifications you want to receive, or switching notifications off altogether in the settings page for your user notifications at https://github.com/settings/notifications. {% endif %}
If you are concerned about receiving too many notifications, we recommend leveraging {% data variables.dependabot.auto_triage_rules %} to auto-dismiss low-risk alerts. See AUTOTITLE.
{% data variables.product.prodname_dependabot_malware_alerts %} have some limitations:
- Alerts can't catch every security issue. Always review your dependencies and keep manifest and lock files up to date for accurate detection.
- New malware may take time to appear in the {% data variables.product.prodname_advisory_database %} and trigger alerts.
- Only advisories reviewed by {% data variables.product.github %} trigger alerts.
- {% data variables.product.prodname_dependabot %} doesn't scan archived repositories.
- {% data reusables.dependabot.dependabot-alert-actions-semver %}
{% data variables.product.github %} never publicly discloses malicious dependencies for any repository.
To start protecting your project from malicious dependencies, see AUTOTITLE.