GitHub Dependabot vulnerability alerts disabled
Description
AlphaSOC detected that GitHub Dependabot vulnerability alerts have been disabled. These alerts notify repository owners when their code uses dependencies with known security vulnerabilities. Disabling these notifications removes an important security control for identifying vulnerable dependencies in the software supply chain.
Impact
Disabling Dependabot alerts increases security risk by preventing the automated detection of known vulnerabilities in dependencies. This may allow security flaws to remain unaddressed in code, potentially creating opportunities for supply chain attacks. Without these alerts, organizations lose visibility into vulnerable third-party code that could be exploited by threat actors.
Severity
| Severity | Condition |
|---|---|
Low | GitHub Dependabot vulnerability alerts disabled |
Investigation and Remediation
Review the GitHub audit logs to identify who disabled the alerts and re-enable the Dependabot alerts. Scan repositories for existing vulnerabilities, then update any vulnerable dependencies to secure versions. Consider implementing controls to prevent unauthorized disabling of security features and review security policies for repository management. Document the changes made during remediation and verify that the alerts are functioning correctly after being re-enabled.