Cloudflare Turnstile (Login Captcha)
GWM supports Cloudflare Turnstile as an optional captcha on the login page. When enabled, the Turnstile widget appears on the login form and the submitted token is verified server-side before authentication proceeds. Login is blocked when the token is invalid or missing.
Enabling Turnstile
- Go to System → Settings → App & Security.
- Toggle Enable Turnstile captcha on.
- Enter your Cloudflare Site Key (public) and Secret Key (stored encrypted).
- Save settings. The widget will appear on the login page immediately.
Obtain a Site Key and Secret Key from the Cloudflare Turnstile dashboard. Choose the Managed widget type for automatic challenge adaptation.
Fail-Closed Behavior
When Turnstile is enabled, a missing or invalid token always blocks login — even if credentials are correct. This prevents bot attacks on the login endpoint.
Dependabot Alerts
- Alerts sync hourly and show open vs resolved issues.
- Unresolved issues appear on the Security page, available directly from the main navigation, with direct links.
- Each project also includes its own Security tab to review alerts and audit issues for that repository specifically.
- The project's Security tab includes remediation actions like Composer Update and Npm Audit Fix.
- Audit Project is available in Enterprise Edition.
- When fixes update dependency files, you can commit and push those changes directly from the Security tab.
- The Security tab also includes the latest audit output and recent security logs.
Audit Checks
- Audit checks are an Enterprise Edition feature.
- Enable audits in Security → Settings to run npm/composer checks after scheduled update scans. When a vulnerability is detected, GWM automatically queues the matching fix task (Composer Update or Npm Audit Fix) before emailing anyone.
- Automatic audits run at most once per hour per project to reduce load.
- Use the Audit Projects button on a project or the project list for an on-demand audit (Enterprise).
- Audit findings and fixes are logged on the Security page and each project's own Security tab.
- FTP-only projects download manifest/lock files before auditing to avoid installing dependencies.
Audit Email Summaries
When audit emails are enabled in Security → Settings, GWM sends one consolidated digest per audit run — covering every project checked, not one email per project — listing resolved and still-open issues.
- An automatically-queued fix is given the chance to run and be verified first; email only goes out if the vulnerability is still open once no fix is pending, or to confirm the fix succeeded. This keeps first detections from generating immediate alert noise.
- Known open issues are not re-emailed on every audit run; existing audit entries are updated in place instead.
- A Notification cooldown setting controls the minimum number of hours before the same project vulnerability triggers another email. The default is 24 hours. Set to 0 to always email.
- The cooldown field appears in Security → Settings once audit email summaries are enabled.
Auto-Commit Fixes
Enable Auto-commit resolved audit fixes (Enterprise) to push dependency lockfile changes after audits resolve all vulnerabilities. Commit messages use the Git Web Manager Vulnerability fixes: prefix.
Auto-Merge Options
When auto-merge is enabled, GWM will attempt to apply Dependabot PRs automatically. Failures are recorded in the Security logs.
Sync Alerts
Use the Sync Alerts button on the Security page, or on a project's own Security tab, to trigger an on-demand refresh.
If sync fails due to SSL certificate issues, see the Troubleshooting guide.
SSL verification can be toggled in System → Settings → App & Security (not recommended to disable in production).
Recovery Tools
If caches or published assets look stale after an update, use the authenticated /recovery page to repair published assets. See the Troubleshooting guide for full steps.
Required GitHub Token Scopes
Ensure GITHUB_TOKEN includes repo and security_events.