Malware Alerting Returns to Dependabot

GitHub is relaunching malware detection in Dependabot for npm packages, addressing the false-positive issues that led to the feature being paused in 2022. The new implementation gives organizations granular control over which alerts they receive while maintaining clear separation from traditional vulnerability alerts.

Key Features

Opt-in Configuration: Malware alerting is disabled by default and can be enabled through repository, organization, or enterprise security settings. Once enabled, Dependabot automatically backfills alerts for existing malware advisories in your current dependencies.

Separated Alert Categories: Malware alerts appear as a distinct subcategory within Dependabot, keeping them separate from CVE-based vulnerability alerts so teams can triage each type independently.

Configurable Alert Rules: New Dependabot rules let you fine-tune coverage by:

• Malware type (malicious version vs. entire malicious package)
• Package ecosystem
• Package scope or name patterns
• Bulk dismiss and reopen actions via multi-select filters

Current Coverage and Future Plans

The feature currently covers the npm ecosystem using advisories from the GitHub Advisory Database. GitHub is actively working to expand coverage to additional ecosystems through integration with feeds like the OpenSSF Malware Streams project.

Getting Started

Enable malware alerts by navigating to Settings → Code security → Dependabot in your repository or organization settings. For organizations using private registries, configure Dependabot alert rules to reduce false positives from name collisions between private and public packages.