Summary

Completed

The goal of this module was to explain how you can use GitHub tools to help manage your dependencies and identify vulnerabilities that can affect your project's security.

GitHub Dependabot is enabled by default for all public repositories. You can also use the Dependabot features in private repositories by enabling the dependency graph and Dependabot. When enabled, Dependabot alerts notify you of vulnerabilities in your dependencies, and security updates automatically generate pull requests that try to fix them. Version updates also automatically generate pull requests to update your dependencies to the latest nonbreaking version.

You learned how to configure your notifications based on how you want to receive alerts about vulnerabilities in your repository. You also learned how to use the security digest email as a concise way to receive a daily or weekly summary of alerts.

Finally, you learned about dependency review and how to configure the dependency review action to analyze dependency changes on every pull request. Using these tools makes it easier to understand and manage your dependencies to better protect your projects on GitHub.

Learn more

Use these links to learn more about the information we covered in this module:

• Securing your software supply chain
• Keeping your supply chain secure with Dependabot
• About the dependency graph
• Supported package ecosystems
• Exporting a software bill of materials for your repository
• What is Dependabot?
• About supply chain security
• About Dependabot alerts
• Configuring Dependabot alerts
• Viewing and updating Dependabot alerts
• Managing security and analysis settings for your repository
• Dependabot quickstart guide
• Managing pull requests for dependency updates
• About Dependabot version updates
• Configuring Dependabot version updates
• List dependencies configured for version updates
• Configuration options for the dependabot.yml file
• Configuring notifications for Dependabot alerts
• About Dependabot security updates
• Configuring Dependabot security updates
• Managing security and analysis settings for your organization
• GitHub GraphQL API documentation
• Configuring notifications for Dependabot alerts
• Configuring notifications
• About Dependabot autotriage rules
• Use GitHub preset rules to prioritize Dependabot alerts
• Customizing autotriage rules to prioritize Dependabot alerts
• Managing alerts that a Dependabot autotriage rule automatically dismissed
• About the GraphQL API
• Introduction to GraphQL
• Using the Explorer
• Forming calls with GraphQL
• Configuring dependency review
• The dependency-review-action
• GitHub Action: Dependency Review
• Review dependency changes in a pull request