github GitHub Changelog ·

GitHub Advanced Security: Innersource security advisories GA

securitygaengineer
feature announcement

GitHub Advanced Security is launching Innersource security advisories, allowing enterprises to publish internal security advisories restricted to their own repositories. This feature, now generally available, aims to enhance internal vulnerability management and leverage Dependabot for automated remediation. Enterprise customers can manage these advisories via a new REST API endpoint, which triggers Dependabot to notify and create pull requests for vulnerable component usage within the enterprise.

  • Innersource security advisories now generally available
  • New REST API for managing innersource vulnerabilities
  • Automated vulnerability notification and remediation with Dependabot
Features (3)
  • Innersource security advisories now generally available

    GitHub Advanced Security enterprise customers can now publish internal security advisories, which are restricted to repositories owned by the enterprise. This feature operates similarly to open-source advisories but enhances internal vulnerability management.

  • New REST API for managing innersource vulnerabilities

    A new REST API endpoint has been introduced to manage innersource vulnerabilities, enabling operations such as creating, updating, or withdrawing advisories. This allows for programmatic control over internal security vulnerability information.

  • Automated vulnerability notification and remediation with Dependabot

    When an innersource advisory is created for a component, GitHub Dependabot will automatically notify and create pull requests for repositories within the enterprise that use the vulnerable component. This helps in updating to a fixed version and remediating security risks.

Read the original announcement →

https://github.blog/changelog/2026-07-08-innersource-security-advisories-are-generally-available