Skip to content

Dependabot now supports alerting on artifacts and non-default branches [GA] #1265

Description

@glider-bot

Value Prop

Dependabot can now generate security alerts for artifacts—such as containers, packages, and executables—as well as dependencies on non-default branches. By uploading a software bill of materials (SBOM) to GitHub's snapshot service and flagging it as alert-worthy, teams gain continuous vulnerability monitoring for every released artifact and long-running branch, not just the default branch. This closes a critical blind spot where production services and shipped products could be silently exposed to newly discovered vulnerabilities in pinned dependency versions.

Expected Outcome

Non-default branch alerting is the most highly requested Dependabot feature in customer feedback. With this release, customers can detect zero-day vulnerabilities in any released artifact or long-lived branch—ensuring that the software they ship and operate stays protected even after the repository has moved on. We expect this to significantly reduce unpatched exposure windows, strengthen end-to-end supply chain security, and reinforce GitHub as the trusted platform for securing the entire software delivery pipeline.

Metadata

Metadata

Assignees

No one assigned

    Labels

    EnterpriseProduct SKU: GitHub EnterpriseFreeProduct SKU: GitHub FreeGHES 3.23GHES 3.23TeamProduct SKU: GitHub Team

    Type

    No type
    No fields configured for issues without a type.

    Projects

    Status
    Exploring

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions