You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/code-security/concepts/supply-chain-security/best-practices-for-maintaining-dependencies.md
+8-33Lines changed: 8 additions & 33 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -79,42 +79,17 @@ By following these practices, you can significantly reduce the risk posed by out
79
79
80
80
## How {% data variables.product.github %} can help
81
81
82
-
{% data variables.product.github %} offers several security features that can help maintain the security of your codebases:
82
+
{% data variables.product.github %} provides security features to help you maintain dependencies:
83
83
84
-
**Dependency graph**
84
+
**Dependency graph**: Tracks your project dependencies and identifies vulnerabilities. See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
85
85
86
-
* Provides a tabular representation of your project's dependencies.
87
-
* The graph helps you understand the dependencies of your project and {% data variables.product.github %} uses this to identify vulnerable dependencies.
88
-
* For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
86
+
**Dependency review**: Catches insecure dependencies in pull requests before they're merged. In addition, the {% data variables.dependency-review.action_name %} can fail checks and, when required by branch protection rules, prevent pull requests that introduce vulnerabilities from being merged. See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).
89
87
90
-
**Dependency review**
88
+
**{% data variables.product.prodname_dependabot %}**: Automatically scans for vulnerabilities, creates alerts, and opens pull requests to update vulnerable or outdated dependencies. You can group multiple updates into single pull requests to streamline reviews. See [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts).
91
89
92
-
* Is integrated into your CI/CD pipeline, and allows you to catch insecure dependencies in your code at every pull request. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).
90
+
**{% data variables.product.prodname_advisory_database %}**: Provides security advisories that power {% data variables.product.prodname_dependabot %}'s vulnerability detection. See [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database).{% ifversion fpt or ghec %}
93
91
94
-
* The {% data variables.dependency-review.action_name %} is a tool that can block the merging of pull requests if they introduce vulnerabilities or fail to update vulnerable dependencies. For more information, see "About the {% data variables.dependency-review.action_name %}" in [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#about-the-dependency-review-action).
92
+
**Private vulnerability reporting**: Enables maintainers to receive, discuss, and fix vulnerability reports in private before public disclosure. {% endif %}
93
+
**Security overview**: Shows your organization's security posture with dashboards for at-risk repositories, alert trends, and feature enablement status. See [AUTOTITLE](/code-security/security-overview/about-security-overview).
95
94
96
-
**{% data variables.product.prodname_dependabot %}**
97
-
98
-
***{% data variables.product.prodname_dependabot_alerts %}**: {% data variables.product.prodname_dependabot %} scans your dependencies for known vulnerabilities and automatically creates alerts when vulnerabilities are found in the repository. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts).
99
-
100
-
***{% data variables.product.prodname_dependabot_security_updates %}**: Automatically opens pull requests to update vulnerable dependencies to versions that do not have known vulnerabilities. This allows you to quickly review and merge fixes. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).
101
-
102
-
***{% data variables.product.prodname_dependabot_version_updates %}**: Can also be configured to automatically open pull requests to update your dependencies to their latest versions regularly, ensuring you are always using current packages. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates).
103
-
104
-
***Grouped updates**: Makes it easier to review and deploy pull requests for {% data variables.product.prodname_dependabot_updates %} by grouping several updates into a single pull request, see [About grouped security updates](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-grouped-security-updates) and examples in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates#reducing-the-volume-of-dependabot-pull-requests)
105
-
106
-
**Security Advisories**{% ifversion fpt or ghec %}
107
-
108
-
***Private vulnerability reporting**: Allows maintainers to privately discuss, fix, and publish security advisories for their repositories. For more information, see [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability).{% endif %}
109
-
110
-
***{% data variables.product.prodname_advisory_database %}**: A database of security advisories that is used by {% data variables.product.prodname_dependabot %} to identify vulnerabilities in your dependencies. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database).
111
-
112
-
**Security overview**
113
-
114
-
* You can keep an eye on the dashboards on the security overview page, which provide insights about your organization or enterprise's security landscape and progress. It helps users identify repositories that need attention and monitor the health of their application security program. For example, you can see a summary of an organization's security risk, trends in detection, remediation, and prevention of security alerts, as well as the enablement status of {% data variables.product.github %}'s security features. For more information, see [AUTOTITLE](/code-security/security-overview/about-security-overview).
115
-
116
-
**Security policy**
117
-
118
-
* You can create a `SECURITY.md` file in your repository that outlines the security policies and procedures for reporting and handling security issues. For more information, see [AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository).
119
-
120
-
For additional guidance across the whole supply chain using {% data variables.product.github %}'s security features, see [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview).
95
+
For end-to-end supply chain guidance, see [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview).
0 commit comments