{"meta":{"title":"Dependabot malware alerts","intro":"Dependabot malware alerts help you identify malware in your dependencies to protect your project and its users.","product":"Security and code quality","breadcrumbs":[{"href":"/en/code-security","title":"Security and code quality"},{"href":"/en/code-security/concepts","title":"Concepts"},{"href":"/en/code-security/concepts/supply-chain-security","title":"Supply chain security"},{"href":"/en/code-security/concepts/supply-chain-security/dependabot-malware-alerts","title":"Dependabot malware alerts"}],"documentType":"article"},"body":"# Dependabot malware alerts\n\nDependabot malware alerts help you identify malware in your dependencies to protect your project and its users.\n\nSoftware often relies on packages from various sources, creating dependency relationships that can threaten your project's security. For example, bad actors can use malicious packages to execute malware attacks, gaining access to your code, data, users, and contributors.\n\nTo help keep your project secure, Dependabot can check your dependencies for known malicious packages, then create alerts with suggested remediation steps.\n\n## When Dependabot sends malware alerts\n\nDependabot sends malware alerts when a package in your repository's default branch is flagged as malicious. Alerts for existing dependencies are generated as soon as the package is flagged on the GitHub Advisory Database.\n\nAlerts are also generated when you push commits that add a known malicious package or update a package to a known malicious version.\n\n> \\[!NOTE]\n> If the ecosystem, name, and version of an internal package match those of a malicious public package, Dependabot may generate a false positive alert.\n\n## Alert contents\n\nWhen Dependabot detects a malicious dependency, a malware alert appears on the repository's **<svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon octicon-shield\" aria-label=\"shield\" role=\"img\"><path d=\"M7.467.133a1.748 1.748 0 0 1 1.066 0l5.25 1.68A1.75 1.75 0 0 1 15 3.48V7c0 1.566-.32 3.182-1.303 4.682-.983 1.498-2.585 2.813-5.032 3.855a1.697 1.697 0 0 1-1.33 0c-2.447-1.042-4.049-2.357-5.032-3.855C1.32 10.182 1 8.566 1 7V3.48a1.75 1.75 0 0 1 1.217-1.667Zm.61 1.429a.25.25 0 0 0-.153 0l-5.25 1.68a.25.25 0 0 0-.174.238V7c0 1.358.275 2.666 1.057 3.86.784 1.194 2.121 2.34 4.366 3.297a.196.196 0 0 0 .154 0c2.245-.956 3.582-2.104 4.366-3.298C13.225 9.666 13.5 8.36 13.5 7V3.48a.251.251 0 0 0-.174-.237l-5.25-1.68ZM8.75 4.75v3a.75.75 0 0 1-1.5 0v-3a.75.75 0 0 1 1.5 0ZM9 10.5a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\"></path></svg> Security and quality** tab. Each alert includes:\n\n* A link to the affected file\n* Details about the malicious package, including the package name, affected versions, and the patched version (when available)\n* Remediation steps\n\n## Availability\n\nCurrently, Dependabot malware alerts are available for packages in the `npm` ecosystem.\n\n## Alert notifications\n\nBy default, GitHub sends email notifications about new alerts to people who both:\n\n* Have write, maintain, or admin permissions to a repository\n* Are watching the repository and have enabled notifications for security alerts or for all activity on the repository\n\nOn GitHub.com, you can override the default behavior by choosing the type of notifications you want to receive, or switching notifications off altogether in the settings page for your user notifications at <https://github.com/settings/notifications>.\n\nIf you are concerned about receiving too many notifications, we recommend leveraging Dependabot auto-triage rules to auto-dismiss low-risk alerts. See [About Dependabot auto-triage rules](/en/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules).\n\n## Limitations\n\nDependabot malware alerts have some limitations:\n\n* Alerts can't catch every security issue. Always review your dependencies and keep manifest and lock files up to date for accurate detection.\n* New malware may take time to appear in the GitHub Advisory Database and trigger alerts.\n* Only advisories reviewed by GitHub trigger alerts.\n* Dependabot doesn't scan archived repositories.\n* For GitHub Actions, alerts are only generated for actions that use semantic versioning, not SHA versioning.\n\nGitHub never publicly discloses malicious dependencies for any repository.\n\n## Next steps\n\nTo start protecting your project from malicious dependencies, see [Configuring Dependabot malware alerts](/en/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-malware-alerts)."}