It’s now easier to grant Dependabot access to repositories from the organization level

If your organization hosts dependencies in private or internal GitHub repositories, you can give Dependabot access to the host repository, allowing Dependabot to update the dependency version. GitHub Advanced Security customers can also now grant Dependabot the ability to access all internal repositories in perpetuity from your organization’s settings or the API page. These improved UI and API experiences make it easier than ever to grant Dependabot access to dependencies hosted in your organization’s repositories.

What’s new

Previously, organization administrators enabled Dependabot access individually for each internal repository, which could be time-consuming. With this feature, you can now grant Dependabot access to all internal repositories in your organization with just a few clicks.

Grant Dependabot access to repositories at scale

• For internal and public repositories: GitHub Advanced Security customers can enable Dependabot access permanently at the organization level. Once enabled, all current and future internal repositories will automatically have Dependabot access.

• For all repository types (including private): Use our improved checkbox UI to grant Dependabot point-in-time access across your entire repository portfolio. This provides a convenient way to enable access for existing repositories without the automatic enablement for future repos.

Be aware that the checkbox UI provides point-in-time access and won’t automatically enable Dependabot for future repositories. For ongoing automatic enablement for internal repositories, use the internal repository setting described above.

API support

For organizations that prefer programmatic management, we’ve also introduced new API endpoints that allow you to:

• Retrieve the current list of repositories with Dependabot access.
• Programmatically modify repository access permissions.

These endpoints provide the same functionality and require the same permissions as the UI improvements, enabling both manual and automated approaches to managing Dependabot access at scale.

Security considerations

For security reasons, permanent organization-level enablement is only available for internal repositories. Private repositories can be enabled through the point-in-time checkbox interface, which requires explicit selection and doesn’t automatically apply to future private repositories.

Get started

This improvement is available today for GitHub Advanced Security customers on cloud deployments and will come to enterprise server in GHES 3.19.

To enable Dependabot for all internal repositories in your organization:

1. Navigate to your organization’s “Settings” page.
2. Select the Advanced Security dropdown in the “Security” section and select Global Settings.
3. Scroll to the end of the page to the “Grant Dependabot” access to repositories section.
4. Select the repositories you’d like to use for updates with Dependabot.

Learn more

• Public, private, and internal repository types

• Granting Dependabot access to private and internal repositories

• Managing Dependabot in your organization
• About Dependabot security updates

Have feedback about this feature? We’d love to hear from you in GitHub Community Discussions.