🛠️

Use GitHub innersource advisories to push private dependency fixes inside an enterprise

GitHub Advanced Security enterprise customers can now publish private innersource security advisories that trigger internal Dependabot alerts and fix PRs.

Original
Jul 9, 2026
Status & Access
Current access and latest update details.
Access
Free
Updated
Jul 9, 2026, 12:13 PM

GitHub innersource advisories are now generally available for enterprise security teams that need private vulnerability distribution inside one company. Use them when an internal package, shared service, or private fork has a flaw that should trigger Dependabot alerts and update pull requests without publishing the advisory to the public GitHub Advisory Database.

The workflow is narrow and useful: create or withdraw advisories through the REST API, keep visibility scoped to the enterprise, and let Dependabot notify repositories that depend on the affected component. It is a fit for internal platforms, monorepos split into reusable packages, and regulated teams that need coordinated remediation before public disclosure.

CheckWhat to verify
LicenseRequires active GitHub Code Security or GitHub Advanced Security.
ScopeAdvisories apply to the entire enterprise, not selected org groups.
LimitEach enterprise can have up to 2,000 active innersource advisories.
AutomationDependabot can create alerts and version update PRs for affected repos.
DisclosureAdvisory data stays private to the enterprise unless separately published.

Treat this as a private remediation lane, not a replacement for public CVEs or external disclosure when customers or open-source users are affected.

Discussion

Sign in to join the discussion and vote on comments.

No comments yet. Start the discussion.
Keep exploring

More from this topic

More in Tools & Apps