Secure your supply chain, understand dependencies in your environment, know about vulnerabilities in those dependencies and patch them.
Welcome to "Secure your repository's supply chain"! 👋
What's the big deal about securing your repository's supply chain?: With the accelerated use of open source, most projects depend on hundreds of open-source dependencies. This poses a security problem: what if the dependencies you're using are vulnerable? You could be putting your users at risk of a supply chain attack. One of the most important things you can do to protect your supply chain is to patch your vulnerable dependencies and replace any malware.
GitHub offers a range of features to help you understand the dependencies in your environment, know about vulnerabilities in those dependencies, and patch them. The supply chain features on GitHub are:
- Dependency graph
- Dependency review
- Dependabot alerts
- Dependabot updates
- Dependabot security updates
- Dependabot version updates
What is a dependency graph: The dependency graph is a summary of the manifest and lock files stored in a repository and any dependencies that are submitted for the repository using the dependency submission API (beta). For each repository, it shows:
- Dependencies, the ecosystems and packages it depends on
- Dependents, the repositories and packages that depend on it
We recommend opening another browser tab to work through the following activities so you can keep these instructions open for reference.
Dependency graph is enabled by default for all new public repositories. If you're working in a public repository, you can go straight to "Activity 1.2: Add a new dependency and view your dependency graph." For private or internal repositories, you'll need to enable Dependency graph.
- Navigate to the Settings tab.
- Click Code security and analysis.
- Enable "Dependency graph."
- Navigate to the Code tab and locate the
code/src/AttendeeSite
folder. - Add the following content to the
package-lock.json
file after the third to last bracket}
and before the last two brackets., "follow-redirects": { "version": "1.14.1", "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.1.tgz", "integrity": "sha512-HWqDgT7ZEkqRzBvc2s64vSZ/hfOceEol3ac/7tKwzuvEyWx3/4UegXh5oBOIotkGsObyk3xznnSRVADBgWSQVg==" }
- Navigate to the Insights tab.
- Select Dependency graph from the side navigation bar.
- Review all the dependencies on the Dependencies tab.
- Search for
follow-redirects
and review the new dependency you just added.
Wait about 20 seconds then refresh this page (the one you're following instructions from). GitHub Actions will automatically update to display the next step.
Get help: Post in our discussion board • Review the GitHub status page
© 2024 GitHub • Code of Conduct • MIT License