About innersource advisories
The GitHub Advisory Database provides a centralized source of alert information for security vulnerabilities. When an advisory about a vulnerable open source component is published, Dependabot uses GitHub's dependency graph to find repositories that are using that component, then sends alerts and pull requests to notify the repository's owners and update the affected code to a newer version that fixes the vulnerability.
Enterprises can use the same mechanism to create alerts and send updates about internally discovered vulnerabilities. Innersource advisories use a similar Open Source Vulnerability (OSV) data format to public advisories, but are not publicly visible. They are scoped to a single enterprise and therefore only propagate alerts to repositories inside that enterprise. The subject of an innersource advisory can be either an internal or open source component, enabling enterprises to push fixes independent of public disclosure and alerting.
Who can create innersource advisories
Innersource advisories can only be created in enterprises that have an active GitHub Code Security or GitHub Advanced Security license. If your license expires or GitHub Code Security is disabled, advisories will no longer be visible and will not propagate alerts. However, the underlying data will not be deleted, and re-activating the license will restore any pre-existing advisories.
Limitations of innersource advisories
- Currently, advisories can only be scoped to an entire enterprise. You cannot target individual organizations or groups of organizations inside the enterprise.
- Each enterprise is limited to 2,000 active advisories. Attempts to create new advisories once that limit is reached will result in an error. If you reach this limit, you can withdraw old or outdated advisories. See Managing innersource advisories.
Next steps
To create, distribute, and withdraw innersource advisories, see Managing innersource advisories.