Dependabot for GitHub Enterprise

According to, Dependabot is now “GitHub-native”.

Will Dependabot be made available for self-hosted GitHub Enterprise?

You can see that this is a popular request from the reactions and comments on


Hi @bgrainger,

Thank you for being here! While we aim to keep and GitHub Enterprise Server as close to feature parity as possible, due to our release process and requirements of certain product features, sometimes porting features over to GitHub Enterprise Server presents significant challenges. That said, we know customers are very interested in this feature, and so it’s likely that you’ll see security scanning in GitHub Enterprise Server at some point. While I cannot provide a timeline for this, we’ll be sure to document it in the Release notes.

In case it’s helpful, vulnerability alerts are currently available in GitHub Enterprise Server.



With actions in beta on GHES, what are the plans now? Is this going to be a part of the security scanning option (which is great, though prohibitively expensive for most) or is it going to be separate? I have used dependabot-core to kind of get something that works, but it’s just a github action, so it doesn’t have the “bot” part of dependabot. This was a highly anticipated feature for my team and I, so I am looking forward to this coming to GHES soon.

Thanks for the ping @KaiSforza! Dependabot updates are coming to GHES! Here’s the roadmap items:

It will be available as part of the base GHES license - no Advanced Security license required.