Topic

#supply-chain

Loot, blog posts and adjacent themes connected to this topic. Follow the tag to keep it in your orbit.

#supply-chain
Loot

More from this topic

Explore all loot

Use GitHub innersource advisories to push private dependency fixes inside an enterprise

0
#github#security#dependabot#supply-chain#enterprise
GitHub Advanced Security enterprise customers can now publish private innersource security advisories that trigger internal Dependabot alerts and fix PRs. GitHub innersource advisories are now generally available for enterprise security teams that need private vulnerability distribution inside one company. Use them when an internal package, shared service, or private fork has a flaw that should trigger Dependabot alerts and update pull requests without publishing the advisory to the public GitHub Advisory Database. The workflow is narrow and useful: create or withdraw advisories through the REST API, keep visibility scoped to the enterprise, and let Dependabot notify repositories that depend on the affected component. It is a fit for internal platforms, monorepos split into reusable packages, and regulated teams that need coordinated remediation before public disclosure. Check What to verify --- --- License Requires active GitHub Code Security or GitHub Advanced Security. Scope Advisories apply to the entire enterprise, not selected org groups. Limit Each enterprise can have up to 2,000 active innersource advisories. Automation Dependabot can create alerts and version update PRs for affected repos. Disclosure Advisory data stays private to the enterprise unless separately published. Treat this as a private remediation lane, not a replacement for public CVEs or external disclosure when customers or open-source users are affected.
View
Free
Open
Blog

Related reads

Browse blog
No blog posts for #supply-chain yet

There is no published article with this tag right now. Browse the blog for adjacent themes or follow the tag for future updates.