Add content on Dependabot malware alerts (#60259)

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com>
Co-authored-by: Carlin Cherry <61124041+carlincherry@users.noreply.github.com>

Author: 4 people

content/admin/configuring-settings/configuring-github-connect/enabling-dependabot-for-your-enterprise.md

@@ -43,6 +43,19 @@ When {% data variables.product.prodname_ghe_server %} receives information about
 
 For repositories with {% data variables.product.prodname_dependabot_alerts %} enabled, scanning is triggered on any push to the default branch that contains a manifest file or lock file. Additionally, when a new vulnerability record is added, {% data variables.product.prodname_ghe_server %} scans all existing repositories and generates alerts for any repository that is vulnerable. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts).
 
+{% ifversion dependabot-malware-alerts %}
+
+#### {% data variables.product.prodname_dependabot_malware_alerts %}
+
+{% data variables.product.prodname_dependabot %} can also use data from the {% data variables.product.prodname_advisory_database %} to raise alerts for malicious packages. These packages are identified using data from {% data variables.product.company_short %}-reviewed advisories, which sync to your instance every hour. {% data variables.product.prodname_dependabot %} scans for malicious packages:
+* When the {% data variables.product.prodname_advisory_database %} syncs to your instance
+* When a push to the default branch contains a manifest file or lock file
+
+> [!NOTE]
+> When you enable {% data variables.product.prodname_dependabot_malware_alerts %}, no code or information about code from {% data variables.product.prodname_ghe_server %} is uploaded to {% data variables.product.prodname_dotcom_the_website %} or {% data variables.enterprise.data_residency_site %}.
+
+{% endif %}
+
 ### About {% data variables.product.prodname_dependabot_updates %}
 
 After you enable {% data variables.product.prodname_dependabot_alerts %}, you can choose to enable {% data variables.product.prodname_dependabot_updates %}. When {% data variables.product.prodname_dependabot_updates %} are enabled for {% data variables.product.prodname_ghe_server %}, users can configure repositories so that their dependencies are updated and kept secure automatically.

content/code-security/concepts/supply-chain-security/about-dependabot-alerts.md

@@ -72,8 +72,8 @@ Alternatively, you can opt into the weekly email digest, or even completely turn
 * Alerts can't catch every security issue. Always review your dependencies and keep manifest and lock files up to date for accurate detection.
 * New vulnerabilities may take time to appear in the {% data variables.product.prodname_advisory_database %} and trigger alerts.
 * Only advisories reviewed by {% data variables.product.github %} trigger alerts.
-* {% data variables.product.prodname_dependabot %} doesn't scan archived repositories.
-* {% data variables.product.prodname_dependabot %} doesn't generate alerts for malware.
+* {% data variables.product.prodname_dependabot %} doesn't scan archived repositories.{% ifversion dependabot-malware-alerts %}{% else %}
+* {% data variables.product.prodname_dependabot %} doesn't generate alerts for malware.{% endif %}
 * {% data reusables.dependabot.dependabot-alert-actions-semver %}
 
 {% ifversion fpt or ghec %}{% data variables.product.github %} never publicly discloses vulnerabilities for any repository. {% endif %}
@@ -88,6 +88,8 @@ With a {% data variables.copilot.copilot_enterprise %} license, you can ask {% d
 
 ## Further reading
 
+{% ifversion dependabot-malware-alerts %}
+* [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-malware-alerts){% endif %}
 * [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)
 * [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)
 * [AUTOTITLE](/code-security/getting-started/auditing-security-alerts)

content/code-security/concepts/supply-chain-security/about-dependabot-auto-triage-rules.md

@@ -17,7 +17,11 @@ contentType: concepts
 
 ## About {% data variables.dependabot.auto_triage_rules %}
 
-{% data variables.dependabot.auto_triage_rules %} allow you to instruct {% data variables.product.prodname_dependabot %} to automatically triage {% data variables.product.prodname_dependabot_alerts %}. You can use {% data variables.dependabot.auto_triage_rules_short %} to automatically dismiss or snooze certain alerts, or specify the alerts you want {% data variables.product.prodname_dependabot %} to open pull requests for. Rules are applied before alert notifications are sent, so enabling rules that auto-dismiss low-risk alerts will prevent notification noise from future matching alerts.
+{% data variables.dependabot.auto_triage_rules %} allow you to instruct {% data variables.product.prodname_dependabot %} to automatically triage {% data variables.product.prodname_dependabot_alerts %}{% ifversion dependabot-malware-alerts %} and {% data variables.product.prodname_dependabot_malware_alerts %}{% endif %}. You can use {% data variables.dependabot.auto_triage_rules_short %} to:
+* Automatically dismiss or snooze certain alerts
+* Specify the {% data variables.product.prodname_dependabot_alerts %} you want {% data variables.product.prodname_dependabot %} to open pull requests for
+
+Rules are applied before alert notifications are sent, so enabling rules that auto-dismiss low-risk alerts will help reduce notification noise.
 
 There are two types of {% data variables.dependabot.auto_triage_rules %}:
 
@@ -26,10 +30,9 @@ There are two types of {% data variables.dependabot.auto_triage_rules %}:
 
 ### About {% data variables.dependabot.github_presets %}
 
-> [!NOTE]
-> {% data reusables.dependabot.dependabot-github-preset-auto-triage-rules %}
+{% data variables.dependabot.github_presets %} are rules curated by {% data variables.product.company_short %} that are available for all repositories.
 
-{% data variables.dependabot.github_presets %} are rules curated by {% data variables.product.company_short %}.
+#### Dismiss low impact issues for development-scoped dependencies
 
 {% data reusables.dependabot.dismiss-low-impact-rule %} These alerts cover cases that feel like false alarms to most developers as the associated vulnerabilities:
 
@@ -42,12 +45,25 @@ The rule is enabled by default for public repositories and can be opted into for
 
 For more information about the criteria used by the rule, see [AUTOTITLE](/code-security/reference/supply-chain-security/criteria-for-preset-rules).
 
+{% ifversion dependabot-malware-alerts %}
+
+#### Dismiss package malware alerts
+
+The `Dismiss package malware alerts` rule is a {% data variables.product.company_short %} preset that auto-dismisses alerts that flag all versions of a package as malicious. If your project depends on an **internal** package with the same ecosystem and name as a malicious **public** package, {% data variables.product.prodname_dependabot %} can generate a false positive alert, which the rule then auto-dismisses.
+
+> [!IMPORTANT]
+> Be aware that if a contributor adds a dependency that is truly malicious across all versions, this rule will auto-dismiss the related alert.
+
+The `Dismiss package malware alerts` rule is disabled by default, but can be enabled for any repository using {% data variables.product.prodname_dependabot_malware_alerts %}.
+
+{% endif %}
+
 ### About {% data variables.dependabot.custom_rules %}
 
 > [!NOTE]
 > {% data reusables.gated-features.dependabot-custom-auto-triage-rules %}
 
-With {% data variables.dependabot.custom_rules %}, you can create your own rules to automatically dismiss or reopen alerts based on targeted metadata, such as severity, package name, CWE, and more. You can also specify which alerts you want {% data variables.product.prodname_dependabot %} to open pull requests for. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts).
+With {% data variables.dependabot.custom_rules %}, you can create your own rules to automatically dismiss or reopen alerts based on targeted metadata, such as severity, package name, CWE, and more. You can also specify which {% data variables.product.prodname_dependabot_alerts %} you want {% data variables.product.prodname_dependabot %} to open pull requests for. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts).
 
 You can create custom rules from the **Settings** tab of the repository, provided the repository belongs to an organization that has a license for {% data variables.product.prodname_GHAS_or_code_security %}. For more information, see [Adding custom auto-triage rules to your repository](/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts#adding-custom-auto-triage-rules-to-your-repository).
 
@@ -61,7 +77,8 @@ Additionally, auto-dismissed alerts are still available for reporting and review
 
 Auto-dismissed alerts are defined by the `resolution:auto-dismiss` close reason. Automatic dismissal activity is included in alert webhooks, REST and GraphQL APIs, and the audit log. For more information, see [AUTOTITLE](/rest/dependabot/alerts), and the "`repository_vulnerability_alert`" section in [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#repository_vulnerability_alert-category-actions).
 
-## Further reading
+## Next steps
+
+To get started with {% data variables.dependabot.auto_triage_rules %}, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/using-github-preset-rules-to-prioritize-dependabot-alerts).
 
-* [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/using-github-preset-rules-to-prioritize-dependabot-alerts)
-* [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts)
+To customize your auto-triage experience, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts).

content/code-security/concepts/supply-chain-security/about-supply-chain-security.md

@@ -27,7 +27,8 @@ You add dependencies directly to your supply chain when you specify them in a ma
 The supply chain features on {% data variables.product.github %} are:
 * **Dependency graph**
 * **Dependency review**
-* **{% data variables.product.prodname_dependabot_alerts %}**
+* **{% data variables.product.prodname_dependabot_alerts %}**{% ifversion dependabot-malware-alerts %}
+  * **{% data variables.product.prodname_dependabot_malware_alerts %}**{% endif %}
 * **{% data variables.product.prodname_dependabot_updates %}**
   * **{% data variables.product.prodname_dependabot_security_updates %}**
   * **{% data variables.product.prodname_dependabot_version_updates %}**
@@ -107,13 +108,32 @@ For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dep
 
 * {% data variables.product.prodname_dependabot %} performs a scan to detect insecure dependencies and sends {% data variables.product.prodname_dependabot_alerts %} when:
 {% ifversion fpt or ghec %}
-  * A new advisory is added to the {% data variables.product.prodname_advisory_database %}.{% else %}
+  * A new advisory is added to the {% data variables.product.prodname_advisory_database %}{% else %}
   * New advisory data is synchronized to your instance each hour from {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.security-advisory.link-browsing-advisory-db %}{% endif %}
-  * The dependency graph for the repository changes.
+  * The dependency graph for the repository changes
 * {% data variables.product.prodname_dependabot_alerts %} are displayed on the **Security** tab for the repository and in the repository's dependency graph. The alert includes a link to the affected file in the project, and information about a fixed version.
 
 For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts).
 
+{% ifversion dependabot-malware-alerts %}
+
+##### What are {% data variables.product.prodname_dependabot_malware_alerts %}?
+
+{% data variables.product.prodname_dependabot_malware_alerts %} flag malicious dependencies in your repositories. {% data variables.product.prodname_dependabot %} generates alerts using the {% data variables.product.prodname_advisory_database %}, which contains advisories for known vulnerabilities and malicious packages.
+
+{% data variables.product.prodname_dependabot %} scans for malicious packages and sends alerts when:{% ifversion fpt or ghec %}
+* A new advisory is added to the {% data variables.product.prodname_advisory_database %}{% else %}
+* New advisory data is synchronized to your instance each hour from {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.security-advisory.link-browsing-advisory-db %}{% endif %}
+* The dependency graph for a repository changes
+
+You can view {% data variables.product.prodname_dependabot_malware_alerts_short %} for a repository:
+* From the **Security** tab
+* In the dependency graph
+
+Each alert includes a link to the affected file in the project, as well as the patch version number for the package (if available).
+
+{% endif %}
+
 #### What are Dependabot updates?
 
 There are two types of {% data variables.product.prodname_dependabot_updates %}: {% data variables.product.prodname_dependabot %} _security_ updates and _version_ updates. {% data variables.product.prodname_dependabot %} generates automatic pull requests to update your dependencies in both cases, but there are several differences.

content/code-security/concepts/supply-chain-security/dependabot-malware-alerts.md

@@ -0,0 +1,62 @@
+---
+title: Dependabot malware alerts
+intro: '{% data variables.product.prodname_dependabot_malware_alerts %} help you identify malware in your dependencies to protect your project and its users.'
+product: '{% data reusables.gated-features.dependabot-malware-alerts %}'
+versions:
+  feature: dependabot-malware-alerts
+contentType: concepts
+---
+
+Software often relies on packages from various sources, creating dependency relationships that can threaten your project's security. For example, bad actors can use malicious packages to execute malware attacks, gaining access to your code, data, users, and contributors.
+
+To help keep your project secure, {% data variables.product.prodname_dependabot %} can check your dependencies for known malicious packages, then create alerts with suggested remediation steps.
+
+## When {% data variables.product.prodname_dependabot %} sends {% data variables.product.prodname_dependabot_malware_alerts_short %}
+
+{% data variables.product.prodname_dependabot %} sends {% data variables.product.prodname_dependabot_malware_alerts_short %} when a package in your repository's default branch is flagged as malicious. Alerts for existing dependencies are generated{% ifversion fpt or ghec %} as soon as the package is flagged on the {% data variables.product.prodname_advisory_database %}{% else %} when new advisory data arrives from {% data variables.product.prodname_dotcom_the_website %} (synced to your instance every hour){% endif %}.
+
+Alerts are also generated when you push commits that add a known malicious package or update a package to a known malicious version.
+
+> [!NOTE]
+> If the ecosystem, name, and version of an internal package match those of a malicious public package, {% data variables.product.prodname_dependabot %} may generate a false positive alert.
+
+## Alert contents
+
+When {% data variables.product.prodname_dependabot %} detects a malicious dependency, a {% data variables.product.prodname_dependabot_malware_alert_short %} appears on the repository's **Security** tab. Each alert includes:
+
+* A link to the affected file
+* Details about the malicious package, including the package name, affected versions, and the patched version (when available)
+* Remediation steps
+
+## Availability
+
+Currently, {% data variables.product.prodname_dependabot_malware_alerts %} are available for packages in the `npm` ecosystem.
+
+## Alert notifications
+
+By default, {% data variables.product.github %} sends email notifications about new alerts to people who both:
+
+* Have write, maintain, or admin permissions to a repository
+* Are watching the repository and have enabled notifications for security alerts or for all activity on the repository
+
+{% ifversion fpt or ghec %}
+On {% data variables.product.prodname_dotcom_the_website %}, you can override the default behavior by choosing the type of notifications you want to receive, or switching notifications off altogether in the settings page for your user notifications at [https://github.com/settings/notifications](https://github.com/settings/notifications).
+{% endif %}
+
+If you are concerned about receiving too many notifications, we recommend leveraging {% data variables.dependabot.auto_triage_rules %} to auto-dismiss low-risk alerts. See [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules).
+
+## Limitations
+
+{% data variables.product.prodname_dependabot_malware_alerts %} have some limitations:
+
+* Alerts can't catch every security issue. Always review your dependencies and keep manifest and lock files up to date for accurate detection.
+* New malware may take time to appear in the {% data variables.product.prodname_advisory_database %} and trigger alerts.
+* Only advisories reviewed by {% data variables.product.github %} trigger alerts.
+* {% data variables.product.prodname_dependabot %} doesn't scan archived repositories.
+* {% data reusables.dependabot.dependabot-alert-actions-semver %}
+
+{% data variables.product.github %} never publicly discloses malicious dependencies for any repository.
+
+## Next steps
+
+To start protecting your project from malicious dependencies, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-malware-alerts).

content/code-security/concepts/supply-chain-security/index.md

@@ -15,6 +15,7 @@ children:
   - dependency-graph-data
   - about-dependency-review
   - about-dependabot-alerts
+  - dependabot-malware-alerts
   - about-metrics-for-dependabot-alerts
   - about-dependabot-security-updates
   - about-dependabot-version-updates

content/code-security/getting-started/github-security-features.md

@@ -73,6 +73,14 @@ You can also use default {% data variables.dependabot.auto_triage_rules %} curat
 
 {% data reusables.dependabot.quickstart-link %}
 
+{% ifversion dependabot-malware-alerts %}
+
+#### {% data variables.product.prodname_dependabot_malware_alerts %}
+
+On {% data variables.product.prodname_dotcom_the_website %} and {% data variables.product.prodname_ghe_server %} 3.22+, you can view alerts for malicious dependencies in your repository. See [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-malware-alerts).
+
+{% endif %}
+
 ### {% data variables.product.prodname_dependabot_version_updates %}
 
 Use {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for {% data variables.product.prodname_dependabot_security_updates %} to successfully raise pull requests to upgrade vulnerable dependencies. You can also customize {% data variables.product.prodname_dependabot_version_updates %} to streamline their integration into your repositories. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates).

content/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/index.md

@@ -9,6 +9,7 @@ versions:
 contentType: how-tos
 children:
   - viewing-and-updating-dependabot-alerts
+  - manage-malware-alerts
   - managing-automatically-dismissed-alerts
   - enable-delegated-alert-dismissal
 ---