About alerts for vulnerable dependencies on GitHub Enterprise Server
To identify vulnerable dependencies in your repository and receive alerts about vulnerabilities, you need to enable two security features:
- The dependency graph
- Dependabot alerts
For more information, see "About the dependency graph" and "About alerts for vulnerable dependencies."
We add vulnerabilities to the GitHub Advisory Database from the following sources:
- The National Vulnerability Database
- A combination of machine learning and human review to detect vulnerabilities in public commits on GitHub
- Security advisories reported on GitHub
- The npm Security advisories database
You can connect your GitHub Enterprise Server instance to GitHub.com, then sync vulnerability data to your instance and generate Dependabot alerts in repositories with a vulnerable dependency.
After connecting your GitHub Enterprise Server instance to GitHub.com and enabling the dependency graph and Dependabot alerts for vulnerable dependencies, vulnerability data is synced from GitHub.com to your instance once every hour. You can also choose to manually sync vulnerability data at any time. No code or information about code from your GitHub Enterprise Server instance is uploaded to GitHub.com.
When your GitHub Enterprise Server instance receives information about a vulnerability, it will identify repositories in your instance that use the affected version of the dependency and generate Dependabot alerts. You can customize how you receive Dependabot alerts. For more information, see "Configuring notifications for vulnerable dependencies."
Enabling the dependency graph and Dependabot alerts on GitHub Enterprise Server
For your GitHub Enterprise Server instance to generate Dependabot alerts whenever vulnerabilities are detected on your repositories:
- You must connect your GitHub Enterprise Server instance to GitHub.com. For more information, see "Connecting GitHub Enterprise Server to GitHub Enterprise Cloud."
- You must enable the dependency graph.
You can enable the dependency graph via the Management Console or the administrative shell. We recommend you follow the Management Console route unless your GitHub Enterprise Server instance uses clustering.
Enabling the dependency graph via the Management Console
- Sign in to your GitHub Enterprise Server instance at
http(s)://HOSTNAME/login. - From an administrative account on GitHub Enterprise Server, click in the upper-right corner of any page.

- In the left sidebar, click Management Console.

- In the left sidebar, click Security.

- Under "Security," click Dependency graph.

- Under the left sidebar, click Save settings.

- Wait for the configuration run to complete.
- Click Visit your instance.
Enabling the dependency graph via the administrative shell
-
Sign in to your GitHub Enterprise Server instance at
http(s)://HOSTNAME/login. -
In the administrative shell, enable the dependency graph on your GitHub Enterprise Server instance:
$ ghe-config app.dependency-graph.enabled trueNote: For more information about enabling access to the administrative shell via SSH, see "Accessing the administrative shell (SSH)."
-
Apply the configuration.
$ ghe-config-apply -
Return to GitHub Enterprise Server.
Enabling Dependabot alerts
Before enabling Dependabot alerts for your instance, you need to enable the dependency graph. For more information, see above.
-
In the top-right corner of GitHub Enterprise Server, click your profile photo, then click Enterprise settings.

-
In the enterprise account sidebar, click GitHub Connect.

-
Under "Repositories can be scanned for vulnerabilities", use the drop-down menu and select Enabled without notifications. Optionally, to enable alerts with notifications, select Enabled with notifications.

We recommend configuring Dependabot alerts without notifications for the first few days to avoid an overload of emails. After a few days, you can enable notifications to receive Dependabot alerts as usual.
Viewing vulnerable dependencies on GitHub Enterprise Server
You can view all vulnerabilities in your GitHub Enterprise Server instance and manually sync vulnerability data from GitHub.com to update the list.
- From an administrative account on GitHub Enterprise Server, click in the upper-right corner of any page.

- In the left sidebar, click Vulnerabilities.

- To sync vulnerability data, click Sync Vulnerabilities now.


