title | intro | shortTitle | redirect_from | versions | type | topics | |||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Browsing security advisories in the GitHub Advisory Database |
You can browse the {% data variables.product.prodname_advisory_database %} to find CVEs and {% data variables.product.prodname_dotcom %}-originated advisories affecting the open source world. |
Browse Advisory Database |
|
|
how_to |
|
You can access any advisory in the {% data variables.product.prodname_advisory_database %}.
-
Navigate to https://github.com/advisories.
-
Optionally, to filter the list of advisories, use the search field or the drop-down menus at the top of the list.
{% note %}
Note: You can use the sidebar on the left to explore {% data variables.product.company_short %}-reviewed and unreviewed advisories separately, or to filter by ecosystem.
{% endnote %}
-
Click an advisory to view details. By default, you will see {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities. {% ifversion GH-advisory-db-supports-malware %}To show malware advisories, use
type:malware
in the search bar.{% endif %}
The database is also accessible using the GraphQL API. {% ifversion GH-advisory-db-supports-malware %}By default, queries will return {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities unless you specify type:malware
.{% endif %} For more information, see the "AUTOTITLE."
{% ifversion security-advisories-rest-api %} Additionally, you can access the {% data variables.product.prodname_advisory_database %} using the REST API. For more information, see "AUTOTITLE."{% endif %}
You can suggest improvements to any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "AUTOTITLE."
You can search the database, and use qualifiers to narrow your search. For example, you can search for advisories created on a certain date, in a specific ecosystem, or in a particular library.
{% data reusables.time_date.date_format %} {% data reusables.time_date.time_format %}
{% data reusables.search.date_gt_lt %}
Qualifier | Example |
---|---|
type:reviewed |
type:reviewed will show {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities. |
{% ifversion GH-advisory-db-supports-malware %} | type:malware |
{% endif %} | type:unreviewed |
GHSA-ID |
GHSA-49wp-qq6x-g2rf will show the advisory with this {% data variables.product.prodname_advisory_database %} ID. |
CVE-ID |
CVE-2020-28482 will show the advisory with this CVE ID number. |
ecosystem:ECOSYSTEM |
ecosystem:npm will show only advisories affecting npm packages. |
severity:LEVEL |
severity:high will show only advisories with a high severity level. |
affects:LIBRARY |
affects:lodash will show only advisories affecting the lodash library. |
cwe:ID |
cwe:352 will show only advisories with this CWE number. |
credit:USERNAME |
credit:octocat will show only advisories credited to the "octocat" user account. |
sort:created-asc |
sort:created-asc will sort by the oldest advisories first. |
sort:created-desc |
sort:created-desc will sort by the newest advisories first. |
sort:updated-asc |
sort:updated-asc will sort by the least recently updated first. |
sort:updated-desc |
sort:updated-desc will sort by the most recently updated first. |
is:withdrawn |
is:withdrawn will show only advisories that have been withdrawn. |
created:YYYY-MM-DD |
created:2021-01-13 will show only advisories created on this date. |
updated:YYYY-MM-DD |
updated:2021-01-13 will show only advisories updated on this date. |
A GHSA-ID
qualifier is a unique ID that we at {% data variables.product.prodname_dotcom %} automatically assign to every advisory in the {% data variables.product.prodname_advisory_database %}. For more information about these identifiers, see "About the {% data variables.product.prodname_advisory_database %}."
For any {% data variables.product.company_short %}-reviewed advisory in the {% data variables.product.prodname_advisory_database %}, you can see which of your repositories are affected by that security vulnerability{% ifversion GH-advisory-db-supports-malware %} or malware{% endif %}. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see "AUTOTITLE."
- Navigate to https://github.com/advisories.
- Click an advisory.
- At the top of the advisory page, click Dependabot alerts.
- Optionally, to filter the list, use the search bar or the drop-down menus. The "Organization" drop-down menu allows you to filter the {% data variables.product.prodname_dependabot_alerts %} per owner (organization or user).
- For more details about the advisory, and for advice on how to fix the vulnerable repository, click the repository name.
{% ifversion security-advisories-ghes %}
If your site administrator has enabled {% data variables.product.prodname_github_connect %} for {% data variables.location.product_location %}, you can also browse reviewed advisories locally. For more information, see "AUTOTITLE".
You can use your local advisory database to check whether a specific security vulnerability is included, and therefore whether you'd get alerts for vulnerable dependencies. You can also view any vulnerable repositories.
-
Navigate to
https://HOSTNAME/advisories
. -
Optionally, to filter the list, use any of the drop-down menus. {% note %}
Note: Only reviewed advisories will be listed. Unreviewed advisories can be viewed in the {% data variables.product.prodname_advisory_database %} on {% data variables.product.prodname_dotcom_the_website %}. For more information, see "Accessing an advisory in the GitHub Advisory Database".
{% endnote %}
-
Click an advisory to view details.{% ifversion GH-advisory-db-supports-malware %} By default, you will see {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities. To show malware advisories, use
type:malware
in the search bar.{% endif %}
You can also suggest improvements to any advisory directly from your local advisory database. For more information, see "AUTOTITLE".
{% data reusables.repositories.enable-security-alerts %}
In the local advisory database, you can see which repositories are affected by each security vulnerability{% ifversion GH-advisory-db-supports-malware %} or malware{% endif %}. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see "AUTOTITLE."
- Navigate to
https://HOSTNAME/advisories
. - Click an advisory.
- At the top of the advisory page, click Dependabot alerts.
- Optionally, to filter the list, use the search bar or the drop-down menus. The "Organization" drop-down menu allows you to filter the {% data variables.product.prodname_dependabot_alerts %} per owner (organization or user).
- For more details about the advisory, and for advice on how to fix the vulnerable repository, click the repository name.
{% endif %}