Security & Dependabot

Git Web Manager

Keep dependencies patched with automated alerts and updates.

Preview Builds Workflows

Dependabot Alerts

  • Alerts sync hourly and show open vs resolved issues.
  • Unresolved issues appear in the System Security tab with direct links.
  • Each project includes a Security tab to review alerts and audit issues for that repository.
  • The Project Security tab includes remediation actions like Composer Update and Npm Audit Fix.
  • Audit Project is available in Enterprise Edition.
  • When fixes update dependency files, you can commit and push those changes directly from the Security tab.
  • The Security tab also includes the latest audit output and recent security logs.

Audit Checks

  • Audit checks are an Enterprise Edition feature.
  • Enable audits in System → Settings → Audits & Alerts to run npm/composer checks after scheduled update scans.
  • Automatic audits run at most once per hour per project to reduce load.
  • Use the Audit Projects button on a project or the project list for an on-demand audit (Enterprise).
  • Audit findings and fixes are logged in System → Security and the Project Security tab.
  • FTP-only projects download manifest/lock files before auditing to avoid installing dependencies.

Audit Email Summaries

When audit emails are enabled in System → Settings, GWM sends a consolidated report that lists both resolved and still-open issues across projects.

Known open issues are not re-emailed on every audit run, and existing audit entries are updated instead of duplicated.

Auto-Commit Fixes

Enable Auto-commit resolved audit fixes (Enterprise) to push dependency lockfile changes after audits resolve all vulnerabilities. Commit messages use the Git Web Manager Vulnerability fixes: prefix.

Auto-Merge Options

When auto-merge is enabled, GWM will attempt to apply Dependabot PRs automatically. Failures are recorded in the Security logs.

Sync Alerts

Use the Sync Alerts button in System or Project Security to trigger an on-demand refresh.

If sync fails due to SSL certificate issues, see the Troubleshooting guide.

SSL verification can be toggled in System → Settings (not recommended to disable in production).

Recovery Tools

If caches or published assets look stale after an update, use the authenticated /recovery page to repair published assets. See the Troubleshooting guide for full steps.

Required GitHub Token Scopes

Ensure GITHUB_TOKEN includes repo and security_events.